diff mbox series

[meta-oe,kirkstone,2/2] poppler: fix CVE-2024-56378

Message ID 20250109122527.2043624-2-yogita.urade@windriver.com
State New
Headers show
Series [meta-oe,kirkstone,1/2] poppler: fix CVE-2024-6239 | expand

Commit Message

yurade Jan. 9, 2025, 12:25 p.m. UTC 
From: Yogita Urade <yogita.urade@windriver.com>

libpoppler.so in Poppler through 24.12.0 has an out-of-bounds
read vulnerability within the JBIG2Bitmap::combine function
in JBIG2Stream.cc.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-56378

Upstream patch:
https://gitlab.freedesktop.org/poppler/poppler/-/commit/ade9b5ebed44b0c15522c27669ef6cdf93eff84e

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
 .../poppler/poppler/CVE-2024-56378.patch      | 78 +++++++++++++++++++
 .../poppler/poppler_22.04.0.bb                |  1 +
 2 files changed, 79 insertions(+)
 create mode 100644 meta-oe/recipes-support/poppler/poppler/CVE-2024-56378.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-support/poppler/poppler/CVE-2024-56378.patch b/meta-oe/recipes-support/poppler/poppler/CVE-2024-56378.patch
new file mode 100644
index 000000000..9f6970241
--- /dev/null
+++ b/meta-oe/recipes-support/poppler/poppler/CVE-2024-56378.patch
@@ -0,0 +1,78 @@ 
+From ade9b5ebed44b0c15522c27669ef6cdf93eff84e Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Tue, 17 Dec 2024 18:59:01 +0100
+Subject: [PATCH] JBIG2Bitmap::combine: Fix crash on malformed files
+
+Fixes #1553
+
+CVE: CVE-2024-56378
+Upstream-Status: Backport [https://gitlab.freedesktop.org/poppler/poppler/-/commit/ade9b5ebed44b0c15522c27669ef6cdf93eff84e]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ poppler/JBIG2Stream.cc | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
+index 2276b5c..b9a62e1 100644
+--- a/poppler/JBIG2Stream.cc
++++ b/poppler/JBIG2Stream.cc
+@@ -762,7 +762,7 @@ void JBIG2Bitmap::duplicateRow(int yDest, int ySrc)
+ 
+ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int combOp)
+ {
+-    int x0, x1, y0, y1, xx, yy;
++    int x0, x1, y0, y1, xx, yy, yyy;
+     unsigned char *srcPtr, *destPtr;
+     unsigned int src0, src1, src, dest, s1, s2, m1, m2, m3;
+     bool oneByte;
+@@ -809,14 +809,17 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int combOp
+     oneByte = x0 == ((x1 - 1) & ~7);
+ 
+     for (yy = y0; yy < y1; ++yy) {
+-        if (unlikely((y + yy >= h) || (y + yy < 0))) {
++        if (unlikely(checkedAdd(y, yy, &yyy))) {
++            continue;
++        }
++        if (unlikely((yyy >= h) || (yyy < 0))) {
+             continue;
+         }
+ 
+         // one byte per line -- need to mask both left and right side
+         if (oneByte) {
+             if (x >= 0) {
+-                destPtr = data + (y + yy) * line + (x >> 3);
++                destPtr = data + yyy * line + (x >> 3);
+                 srcPtr = bitmap->data + yy * bitmap->line;
+                 dest = *destPtr;
+                 src1 = *srcPtr;
+@@ -839,7 +842,7 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int combOp
+                 }
+                 *destPtr = dest;
+             } else {
+-                destPtr = data + (y + yy) * line;
++                destPtr = data + yyy * line;
+                 srcPtr = bitmap->data + yy * bitmap->line + (-x >> 3);
+                 dest = *destPtr;
+                 src1 = *srcPtr;
+@@ -869,7 +872,7 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int combOp
+ 
+             // left-most byte
+             if (x >= 0) {
+-                destPtr = data + (y + yy) * line + (x >> 3);
++                destPtr = data + yyy * line + (x >> 3);
+                 srcPtr = bitmap->data + yy * bitmap->line;
+                 src1 = *srcPtr++;
+                 dest = *destPtr;
+@@ -893,7 +896,7 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int combOp
+                 *destPtr++ = dest;
+                 xx = x0 + 8;
+             } else {
+-                destPtr = data + (y + yy) * line;
++                destPtr = data + yyy * line;
+                 srcPtr = bitmap->data + yy * bitmap->line + (-x >> 3);
+                 src1 = *srcPtr++;
+                 xx = x0;
+-- 
+2.40.0
+
diff --git a/meta-oe/recipes-support/poppler/poppler_22.04.0.bb b/meta-oe/recipes-support/poppler/poppler_22.04.0.bb
index f49571caa..af6ee6749 100644
--- a/meta-oe/recipes-support/poppler/poppler_22.04.0.bb
+++ b/meta-oe/recipes-support/poppler/poppler_22.04.0.bb
@@ -10,6 +10,7 @@  SRC_URI = "http://poppler.freedesktop.org/${BP}.tar.xz \
            file://CVE-2023-34872.patch \
            file://CVE-2024-6239-0001.patch \
            file://CVE-2024-6239-0002.patch \
+           file://CVE-2024-56378.patch \
            "
 SRC_URI[sha256sum] = "813fb4b90e7bda63df53205c548602bae728887a60f4048aae4dbd9b1927deff"