0001-JBIG2Stream-Fix-crash-on-broken-file.patch (revision 4882a59341e53eb6f0b4789bf948001014eff981) - OpenGrok cross reference for /OK3568_Linux_fs/yocto/meta-openembedded/meta-oe/recipes-support/poppler/poppler/0001-JBIG2Stream-Fix-crash-on-broken-file.patch

From 27354e9d9696ee2bc063910a6c9a6b27c5184a52 Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Thu, 25 Aug 2022 00:14:22 +0200
Subject: [PATCH] JBIG2Stream: Fix crash on broken file

https://github.com/jeffssh/CVE-2021-30860

Thanks to David Warren for the heads up

CVE: CVE-2021-30860

References:
https://nvd.nist.gov/vuln/detail/CVE-2021-30860

Upstream-Status: Backport
[https://gitlab.freedesktop.org/poppler/poppler/-/commit/27354e9d9696ee2bc063910a6c9a6b27c5184a52]

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
 poppler/JBIG2Stream.cc | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
index 662276e5..9f70431d 100644
--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
@@ -1976,7 +1976,11 @@ void JBIG2Stream::readTextRegionSeg(unsigned int segNum, bool imm, bool lossless
     for (i = 0; i < nRefSegs; ++i) {
         if ((seg = findSegment(refSegs[i]))) {
             if (seg->getType() == jbig2SegSymbolDict) {
-                numSyms += ((JBIG2SymbolDict *)seg)->getSize();
+                const unsigned int segSize = ((JBIG2SymbolDict *)seg)->getSize();
+                if (unlikely(checkedAdd(numSyms, segSize, &numSyms))) {
+                    error(errSyntaxError, getPos(), "Too many symbols in JBIG2 text region");
+                    return;
+                }
             } else if (seg->getType() == jbig2SegCodeTable) {
                 codeTables.push_back(seg);
             }
--
2.25.1