helium-3rd-party/meta-openembedded
1
0
Fork 0
mirror of git://git.openembedded.org/meta-openembedded synced 2026-05-22 01:09:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

poppler: fix CVE-2024-56378

Browse Source 
libpoppler.so in Poppler through 24.12.0 has an out-of-bounds
read vulnerability within the JBIG2Bitmap::combine function
in JBIG2Stream.cc.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-56378

Upstream patch:
ade9b5ebed

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Yogita Urade 2025-01-09 12:25:27 +00:00 committed by Armin Kuster
parent e9e496dc64
commit ff5e933e58
2 changed files with 79 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
meta-oe/recipes-support/poppler/poppler/CVE-2024-56378.patch Normal file
View File

@ -0,0 +1,78 @@
From ade9b5ebed44b0c15522c27669ef6cdf93eff84e Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Tue, 17 Dec 2024 18:59:01 +0100
Subject: [PATCH] JBIG2Bitmap::combine: Fix crash on malformed files
Fixes #1553
CVE: CVE-2024-56378
Upstream-Status: Backport [https://gitlab.freedesktop.org/poppler/poppler/-/commit/ade9b5ebed44b0c15522c27669ef6cdf93eff84e]
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
---
poppler/JBIG2Stream.cc | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
index 2276b5c..b9a62e1 100644
--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
@@ -762,7 +762,7 @@ void JBIG2Bitmap::duplicateRow(int yDest, int ySrc)
void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int combOp)
{
- int x0, x1, y0, y1, xx, yy;
+ int x0, x1, y0, y1, xx, yy, yyy;
unsigned char *srcPtr, *destPtr;
unsigned int src0, src1, src, dest, s1, s2, m1, m2, m3;
bool oneByte;
@@ -809,14 +809,17 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int combOp
oneByte = x0 == ((x1 - 1) & ~7);
for (yy = y0; yy < y1; ++yy) {
- if (unlikely((y + yy >= h) || (y + yy < 0))) {
+ if (unlikely(checkedAdd(y, yy, &yyy))) {
+ continue;
+ }
+ if (unlikely((yyy >= h) || (yyy < 0))) {
continue;
}
// one byte per line -- need to mask both left and right side
if (oneByte) {
if (x >= 0) {
- destPtr = data + (y + yy) * line + (x >> 3);
+ destPtr = data + yyy * line + (x >> 3);
srcPtr = bitmap->data + yy * bitmap->line;
dest = *destPtr;
src1 = *srcPtr;
@@ -839,7 +842,7 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int combOp
}
*destPtr = dest;
} else {
- destPtr = data + (y + yy) * line;
+ destPtr = data + yyy * line;
srcPtr = bitmap->data + yy * bitmap->line + (-x >> 3);
dest = *destPtr;
src1 = *srcPtr;
@@ -869,7 +872,7 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int combOp
// left-most byte
if (x >= 0) {
- destPtr = data + (y + yy) * line + (x >> 3);
+ destPtr = data + yyy * line + (x >> 3);
srcPtr = bitmap->data + yy * bitmap->line;
src1 = *srcPtr++;
dest = *destPtr;
@@ -893,7 +896,7 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int combOp
*destPtr++ = dest;
xx = x0 + 8;
} else {
- destPtr = data + (y + yy) * line;
+ destPtr = data + yyy * line;
srcPtr = bitmap->data + yy * bitmap->line + (-x >> 3);
src1 = *srcPtr++;
xx = x0;
--
2.40.0

1
meta-oe/recipes-support/poppler/poppler_22.04.0.bb
View File

@ -10,6 +10,7 @@ SRC_URI = "http://poppler.freedesktop.org/${BP}.tar.xz \
file://CVE-2023-34872.patch \
file://CVE-2024-6239-0001.patch \
file://CVE-2024-6239-0002.patch \
file://CVE-2024-56378.patch \
"
SRC_URI[sha256sum] = "813fb4b90e7bda63df53205c548602bae728887a60f4048aae4dbd9b1927deff"