poppler: fix CVE-2025-32365

Poppler before 25.04.0 allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced isOk check. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-32365 Upstream patch: https://gitlab.freedesktop.org/poppler/poppler/-/commit/1f151565bbca5be7449ba8eea6833051cc1baa41 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Yogita Urade <yogita.urade@windriver.com> 2025-04-21 10:39:09 +0000
committer: Armin Kuster <akuster808@gmail.com> 2025-05-25 14:48:33 -0400
commit: 4c87bd7b937a0ab585352a3f3fb193d693106ed7 (patch)
tree: 3d89c52e10d5cd2895d9401857c245c1171b24fe
parent: 84fc57bacc8f609259c55f4ae4ab6ebd95a5ef4e (diff)
download: meta-openembedded-4c87bd7b937a0ab585352a3f3fb193d693106ed7.tar.gz
2 files changed, 42 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/poppler/poppler/CVE-2025-32365.patch b/meta-oe/recipes-support/poppler/poppler/CVE-2025-32365.patch
new file mode 100644
index 0000000000..d8cda9c1c3
--- /dev/null
+++ b/meta-oe/recipes-support/poppler/poppler/CVE-2025-32365.patch
@@ -0,0 +1,41 @@
+From 1f151565bbca5be7449ba8eea6833051cc1baa41 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Mon, 31 Mar 2025 14:35:49 +0200
+Subject: [PATCH] Move isOk check to inside JBIG2Bitmap::combine
+CVE: CVE-2025-32365
+Upstream-Status: Backport [https://gitlab.freedesktop.org/poppler/poppler/-/commit/1f151565bbca5be7449ba8eea6833051cc1baa41]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ poppler/JBIG2Stream.cc | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
+index b9a62e1..9cc3b82 100644
+--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
+@@ -767,6 +767,10 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int combOp
+     unsigned int src0, src1, src, dest, s1, s2, m1, m2, m3;
+     bool oneByte;
+    if (unlikely(!isOk())) {
+        return;
+    }
+
+     // check for the pathological case where y = -2^31
+     if (y < -0x7fffffff) {
+         return;
+@@ -2198,9 +2202,7 @@ void JBIG2Stream::readTextRegionSeg(unsigned int segNum, bool imm, bool lossless
+             if (pageH == 0xffffffff && y + h > curPageH) {
+                 pageBitmap->expand(y + h, pageDefPixel);
+             }
+-            if (pageBitmap->isOk()) {
+-                pageBitmap->combine(bitmap.get(), x, y, extCombOp);
+-            }
+            pageBitmap->combine(bitmap.get(), x, y, extCombOp);
+             // store the region bitmap
+         } else {
+--
+2.40.0
diff --git a/meta-oe/recipes-support/poppler/poppler_22.04.0.bb b/meta-oe/recipes-support/poppler/poppler_22.04.0.bb
index 2bbf542eaa..494308b8a5 100644
--- a/meta-oe/recipes-support/poppler/poppler_22.04.0.bb
+++ b/meta-oe/recipes-support/poppler/poppler_22.04.0.bb
@@ -12,6 +12,7 @@ SRC_URI = "http://poppler.freedesktop.org/${BP}.tar.xz \
           file://CVE-2024-6239-0002.patch \
           file://CVE-2024-56378.patch \
           file://CVE-2025-32364.patch \
+           file://CVE-2025-32365.patch \
           "
 SRC_URI[sha256sum] = "813fb4b90e7bda63df53205c548602bae728887a60f4048aae4dbd9b1927deff"
author	Yogita Urade <yogita.urade@windriver.com>	2025-04-21 10:39:09 +0000
committer	Armin Kuster <akuster808@gmail.com>	2025-05-25 14:48:33 -0400
commit	4c87bd7b937a0ab585352a3f3fb193d693106ed7 (patch)
tree	3d89c52e10d5cd2895d9401857c245c1171b24fe
parent	84fc57bacc8f609259c55f4ae4ab6ebd95a5ef4e (diff)
download	meta-openembedded-4c87bd7b937a0ab585352a3f3fb193d693106ed7.tar.gz

diff --git a/meta-oe/recipes-support/poppler/poppler/CVE-2025-32365.patch b/meta-oe/recipes-support/poppler/poppler/CVE-2025-32365.patch new file mode 100644 index 0000000000..d8cda9c1c3 --- /dev/null +++ b/meta-oe/recipes-support/poppler/poppler/CVE-2025-32365.patch
@@ -0,0 +1,41 @@
		1	From 1f151565bbca5be7449ba8eea6833051cc1baa41 Mon Sep 17 00:00:00 2001
		2	From: Albert Astals Cid <aacid@kde.org>
		3	Date: Mon, 31 Mar 2025 14:35:49 +0200
		4	Subject: [PATCH] Move isOk check to inside JBIG2Bitmap::combine
		5
		6	CVE: CVE-2025-32365
		7	Upstream-Status: Backport [https://gitlab.freedesktop.org/poppler/poppler/-/commit/1f151565bbca5be7449ba8eea6833051cc1baa41]
		8
		9	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		10	---
		11	poppler/JBIG2Stream.cc \| 8 +++++---
		12	1 file changed, 5 insertions(+), 3 deletions(-)
		13
		14	diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
		15	index b9a62e1..9cc3b82 100644
		16	--- a/poppler/JBIG2Stream.cc
		17	+++ b/poppler/JBIG2Stream.cc
		18	@@ -767,6 +767,10 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int combOp
		19	unsigned int src0, src1, src, dest, s1, s2, m1, m2, m3;
		20	bool oneByte;
		21
		22	+ if (unlikely(!isOk())) {
		23	+ return;
		24	+ }
		25	+
		26	// check for the pathological case where y = -2^31
		27	if (y < -0x7fffffff) {
		28	return;
		29	@@ -2198,9 +2202,7 @@ void JBIG2Stream::readTextRegionSeg(unsigned int segNum, bool imm, bool lossless
		30	if (pageH == 0xffffffff && y + h > curPageH) {
		31	pageBitmap->expand(y + h, pageDefPixel);
		32	}
		33	- if (pageBitmap->isOk()) {
		34	- pageBitmap->combine(bitmap.get(), x, y, extCombOp);
		35	- }
		36	+ pageBitmap->combine(bitmap.get(), x, y, extCombOp);
		37
		38	// store the region bitmap
		39	} else {
		40	--
		41	2.40.0


diff --git a/meta-oe/recipes-support/poppler/poppler_22.04.0.bb b/meta-oe/recipes-support/poppler/poppler_22.04.0.bb index 2bbf542eaa..494308b8a5 100644 --- a/meta-oe/recipes-support/poppler/poppler_22.04.0.bb +++ b/meta-oe/recipes-support/poppler/poppler_22.04.0.bb
@@ -12,6 +12,7 @@ SRC_URI = "http://poppler.freedesktop.org/${BP}.tar.xz \
12	file://CVE-2024-6239-0002.patch \	12	file://CVE-2024-6239-0002.patch \
13	file://CVE-2024-56378.patch \	13	file://CVE-2024-56378.patch \
14	file://CVE-2025-32364.patch \	14	file://CVE-2025-32364.patch \
		15	file://CVE-2025-32365.patch \
15	"	16	"
16	SRC_URI[sha256sum] = "813fb4b90e7bda63df53205c548602bae728887a60f4048aae4dbd9b1927deff"	17	SRC_URI[sha256sum] = "813fb4b90e7bda63df53205c548602bae728887a60f4048aae4dbd9b1927deff"
17		18