poppler: fix CVE-2025-32365

Poppler before 25.04.0 allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced isOk check. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-32365 Upstream patch: https://gitlab.freedesktop.org/poppler/poppler/-/commit/1f151565bbca5be7449ba8eea6833051cc1baa41 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Yogita Urade <yogita.urade@windriver.com> 2025-04-17 11:23:53 +0000
committer: Armin Kuster <akuster808@gmail.com> 2025-05-17 12:20:27 -0600
commit: a0b54655b573eb627ba4cb7453ce8f856e4cbe33 (patch)
tree: 96dfab663c1cd959653ba507492f7ee83352251b
parent: 7c900fa798cfd8cc10c4ed41f7f025fc03b8fbc7 (diff)
download: meta-openembedded-a0b54655b573eb627ba4cb7453ce8f856e4cbe33.tar.gz
2 files changed, 42 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/poppler/poppler/CVE-2025-32365.patch b/meta-oe/recipes-support/poppler/poppler/CVE-2025-32365.patch
new file mode 100644
index 0000000000..703a69fc95
--- /dev/null
+++ b/meta-oe/recipes-support/poppler/poppler/CVE-2025-32365.patch
@@ -0,0 +1,41 @@
+From 1f151565bbca5be7449ba8eea6833051cc1baa41 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Mon, 31 Mar 2025 14:35:49 +0200
+Subject: [PATCH] Move isOk check to inside JBIG2Bitmap::combine
+CVE: CVE-2025-32365
+Upstream-Status: Backport [https://gitlab.freedesktop.org/poppler/poppler/-/commit/1f151565bbca5be7449ba8eea6833051cc1baa41]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ poppler/JBIG2Stream.cc | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
+index bdc51d0..2974493 100644
+--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
+@@ -770,6 +770,10 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int combOp
+     unsigned int src0, src1, src, dest, s1, s2, m1, m2, m3;
+     bool oneByte;
+    if (unlikely(!isOk())) {
+        return;
+    }
+
+     // check for the pathological case where y = -2^31
+     if (y < -0x7fffffff) {
+         return;
+@@ -2200,9 +2204,7 @@ void JBIG2Stream::readTextRegionSeg(unsigned int segNum, bool imm, bool lossless
+             if (pageH == 0xffffffff && y + h > curPageH) {
+                 pageBitmap->expand(y + h, pageDefPixel);
+             }
+-            if (pageBitmap->isOk()) {
+-                pageBitmap->combine(bitmap.get(), x, y, extCombOp);
+-            }
+            pageBitmap->combine(bitmap.get(), x, y, extCombOp);
+             // store the region bitmap
+         } else {
+--
+2.40.0
diff --git a/meta-oe/recipes-support/poppler/poppler_23.04.0.bb b/meta-oe/recipes-support/poppler/poppler_23.04.0.bb
index e68fe151e9..8760a0e17e 100644
--- a/meta-oe/recipes-support/poppler/poppler_23.04.0.bb
+++ b/meta-oe/recipes-support/poppler/poppler_23.04.0.bb
@@ -13,6 +13,7 @@ SRC_URI = "http://poppler.freedesktop.org/${BP}.tar.xz \
           file://CVE-2024-6239-0002.patch \
           file://CVE-2024-56378.patch \
           file://CVE-2025-32364.patch \
+           file://CVE-2025-32365.patch \
           "
 SRC_URI[sha256sum] = "b6d893dc7dcd4138b9e9df59a13c59695e50e80dc5c2cacee0674670693951a1"
author	Yogita Urade <yogita.urade@windriver.com>	2025-04-17 11:23:53 +0000
committer	Armin Kuster <akuster808@gmail.com>	2025-05-17 12:20:27 -0600
commit	a0b54655b573eb627ba4cb7453ce8f856e4cbe33 (patch)
tree	96dfab663c1cd959653ba507492f7ee83352251b
parent	7c900fa798cfd8cc10c4ed41f7f025fc03b8fbc7 (diff)
download	meta-openembedded-a0b54655b573eb627ba4cb7453ce8f856e4cbe33.tar.gz

diff --git a/meta-oe/recipes-support/poppler/poppler/CVE-2025-32365.patch b/meta-oe/recipes-support/poppler/poppler/CVE-2025-32365.patch new file mode 100644 index 0000000000..703a69fc95 --- /dev/null +++ b/meta-oe/recipes-support/poppler/poppler/CVE-2025-32365.patch
@@ -0,0 +1,41 @@
		1	From 1f151565bbca5be7449ba8eea6833051cc1baa41 Mon Sep 17 00:00:00 2001
		2	From: Albert Astals Cid <aacid@kde.org>
		3	Date: Mon, 31 Mar 2025 14:35:49 +0200
		4	Subject: [PATCH] Move isOk check to inside JBIG2Bitmap::combine
		5
		6	CVE: CVE-2025-32365
		7	Upstream-Status: Backport [https://gitlab.freedesktop.org/poppler/poppler/-/commit/1f151565bbca5be7449ba8eea6833051cc1baa41]
		8
		9	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		10	---
		11	poppler/JBIG2Stream.cc \| 8 +++++---
		12	1 file changed, 5 insertions(+), 3 deletions(-)
		13
		14	diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
		15	index bdc51d0..2974493 100644
		16	--- a/poppler/JBIG2Stream.cc
		17	+++ b/poppler/JBIG2Stream.cc
		18	@@ -770,6 +770,10 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int combOp
		19	unsigned int src0, src1, src, dest, s1, s2, m1, m2, m3;
		20	bool oneByte;
		21
		22	+ if (unlikely(!isOk())) {
		23	+ return;
		24	+ }
		25	+
		26	// check for the pathological case where y = -2^31
		27	if (y < -0x7fffffff) {
		28	return;
		29	@@ -2200,9 +2204,7 @@ void JBIG2Stream::readTextRegionSeg(unsigned int segNum, bool imm, bool lossless
		30	if (pageH == 0xffffffff && y + h > curPageH) {
		31	pageBitmap->expand(y + h, pageDefPixel);
		32	}
		33	- if (pageBitmap->isOk()) {
		34	- pageBitmap->combine(bitmap.get(), x, y, extCombOp);
		35	- }
		36	+ pageBitmap->combine(bitmap.get(), x, y, extCombOp);
		37
		38	// store the region bitmap
		39	} else {
		40	--
		41	2.40.0


diff --git a/meta-oe/recipes-support/poppler/poppler_23.04.0.bb b/meta-oe/recipes-support/poppler/poppler_23.04.0.bb index e68fe151e9..8760a0e17e 100644 --- a/meta-oe/recipes-support/poppler/poppler_23.04.0.bb +++ b/meta-oe/recipes-support/poppler/poppler_23.04.0.bb
@@ -13,6 +13,7 @@ SRC_URI = "http://poppler.freedesktop.org/${BP}.tar.xz \
13	file://CVE-2024-6239-0002.patch \	13	file://CVE-2024-6239-0002.patch \
14	file://CVE-2024-56378.patch \	14	file://CVE-2024-56378.patch \
15	file://CVE-2025-32364.patch \	15	file://CVE-2025-32364.patch \
		16	file://CVE-2025-32365.patch \
16	"	17	"
17	SRC_URI[sha256sum] = "b6d893dc7dcd4138b9e9df59a13c59695e50e80dc5c2cacee0674670693951a1"	18	SRC_URI[sha256sum] = "b6d893dc7dcd4138b9e9df59a13c59695e50e80dc5c2cacee0674670693951a1"
18		19