projects / poppler.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ad97fee)
CVE-2025-52886
authorDebian freedesktop.org maintainers <pkg-freedesktop-maintainers@lists.alioth.debian.org>
Mon, 28 Jul 2025 08:55:12 +0000 (10:55 +0200)
committerJeremy Bícha <jbicha@ubuntu.com>
Mon, 28 Jul 2025 08:55:12 +0000 (10:55 +0200)
Backport of:

Backport of:

From ac36affcc8486de38e8905a8d6547a3464ff46e5 Mon Sep 17 00:00:00 2001
From: Sune Vuorela <sune@vuorela.dk>
Date: Tue, 3 Jun 2025 00:35:19 +0200
Subject: [PATCH] Limit ammount of annots per document/page

Gbp-Pq: Name CVE-2025-52886.patch

poppler/Annot.cc patch | blob | history
poppler/Page.cc patch | blob | history

diff --git a/poppler/Annot.cc b/poppler/Annot.cc
index 35a4e1cb4f3fcea7b5f61cbb2eedc3322d631e23..35f292bba114d5a569d6b3f2147963d35e57a1c7 100644 (file)
--- a/poppler/Annot.cc
+++ b/poppler/Annot.cc
@@ -7479,6 +7479,10 @@ Annots::Annots(PDFDoc *docA, int page, Object *annotsObj)
                 const Object &obj2 = annotsObj->arrayGetNF(i);
                 annot = createAnnot(std::move(obj1), &obj2);
                 if (annot) {
+                    if (annot->refCnt > 100000) {
+                        error(errSyntaxError, -1, "Annotations likely malformed. Too many references. Stopping processing annots on page {0:d}", page);
+                        break;
+                    }
                     if (annot->isOk()) {
                         annot->setPage(page, false); // Don't change /P
                         appendAnnot(annot);
diff --git a/poppler/Page.cc b/poppler/Page.cc
index 90681bc1b3a71a9aeff75478b53fb17d9023cd55..33b98f95cd7934a4c03a82f08494b2635cf32369 100644 (file)
--- a/poppler/Page.cc
+++ b/poppler/Page.cc
@@ -297,6 +297,22 @@ Page::Page(PDFDoc *docA, int numA, Object &&pageDict, Ref pageRefA, std::unique_
         goto err2;
     }
 
+    if (annotsObj.isArray() && annotsObj.arrayGetLength() > 10000) {
+        error(errSyntaxError, -1, "Page annotations object (page {0:d}) is likely malformed. Too big: ({1:d})", num, annotsObj.arrayGetLength());
+        goto err2;
+    }
+    if (annotsObj.isRef()) {
+        auto resolvedObj = getAnnotsObject();
+        if (resolvedObj.isArray() && resolvedObj.arrayGetLength() > 10000) {
+            error(errSyntaxError, -1, "Page annotations object (page {0:d}) is likely malformed. Too big: ({1:d})", num, resolvedObj.arrayGetLength());
+            goto err2;
+        }
+        if (!resolvedObj.isArray() && !resolvedObj.isNull()) {
+            error(errSyntaxError, -1, "Page annotations object (page {0:d}) is wrong type ({1:s})", num, resolvedObj.getTypeName());
+            goto err2;
+        }
+    }
+
     // contents
     contents = pageObj.dictLookupNF("Contents").copy();
     if (!(contents.isRef() || contents.isArray() || contents.isNull())) {
Unnamed repository; edit this file 'description' to name the repository.