!130 [sync] PR-129: fix CVE-2025-43903

From: @openeuler-sync-bot 
Reviewed-by: @weidongkl 
Signed-off-by: @weidongkl

.gitattributes

@@ -0,0 +1 @@
+*.xz filter=lfs diff=lfs merge=lfs -text

.lfsconfig

@@ -0,0 +1,2 @@
+[lfs]
+	url = https://artlfs.openeuler.openatom.cn/src-openEuler/poppler

backport-CVE-2024-56378.patch

@@ -0,0 +1,73 @@
+From ade9b5ebed44b0c15522c27669ef6cdf93eff84e Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Tue, 17 Dec 2024 18:59:01 +0100
+Subject: [PATCH] JBIG2Bitmap::combine: Fix crash on malformed files
+
+Fixes #1553
+---
+ poppler/JBIG2Stream.cc | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
+index f482a123f..b2f96e149 100644
+--- a/poppler/JBIG2Stream.cc
++++ b/poppler/JBIG2Stream.cc
+@@ -762,7 +762,7 @@ void JBIG2Bitmap::duplicateRow(int yDest, int ySrc)
+ 
+ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int combOp)
+ {
+-    int x0, x1, y0, y1, xx, yy;
++    int x0, x1, y0, y1, xx, yy, yyy;
+     unsigned char *srcPtr, *destPtr;
+     unsigned int src0, src1, src, dest, s1, s2, m1, m2, m3;
+     bool oneByte;
+@@ -809,14 +809,17 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int combOp
+     oneByte = x0 == ((x1 - 1) & ~7);
+ 
+     for (yy = y0; yy < y1; ++yy) {
+-        if (unlikely((y + yy >= h) || (y + yy < 0))) {
++        if (unlikely(checkedAdd(y, yy, &yyy))) {
++            continue;
++        }
++        if (unlikely((yyy >= h) || (yyy < 0))) {
+             continue;
+         }
+ 
+         // one byte per line -- need to mask both left and right side
+         if (oneByte) {
+             if (x >= 0) {
+-                destPtr = data + (y + yy) * line + (x >> 3);
++                destPtr = data + yyy * line + (x >> 3);
+                 srcPtr = bitmap->data + yy * bitmap->line;
+                 dest = *destPtr;
+                 src1 = *srcPtr;
+@@ -839,7 +842,7 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int combOp
+                 }
+                 *destPtr = dest;
+             } else {
+-                destPtr = data + (y + yy) * line;
++                destPtr = data + yyy * line;
+                 srcPtr = bitmap->data + yy * bitmap->line + (-x >> 3);
+                 dest = *destPtr;
+                 src1 = *srcPtr;
+@@ -869,7 +872,7 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int combOp
+ 
+             // left-most byte
+             if (x >= 0) {
+-                destPtr = data + (y + yy) * line + (x >> 3);
++                destPtr = data + yyy * line + (x >> 3);
+                 srcPtr = bitmap->data + yy * bitmap->line;
+                 src1 = *srcPtr++;
+                 dest = *destPtr;
+@@ -893,7 +896,7 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int combOp
+                 *destPtr++ = dest;
+                 xx = x0 + 8;
+             } else {
+-                destPtr = data + (y + yy) * line;
++                destPtr = data + yyy * line;
+                 srcPtr = bitmap->data + yy * bitmap->line + (-x >> 3);
+                 src1 = *srcPtr++;
+                 xx = x0;
+-- 
+GitLab
+

backport-CVE-2024-6239.patch

@@ -0,0 +1,112 @@
+From 0554731052d1a97745cb179ab0d45620589dd9c4 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Fri, 7 Jun 2024 00:54:55 +0200
+Subject: [PATCH] pdfinfo: Fix crash in broken documents when using -dests
+
+Reference:https://gitlab.freedesktop.org/poppler/poppler/-/commit/0554731052d1a97745cb179ab0d45620589dd9c4
+Conflict:adapt context and patch line numbers
+---
+ utils/pdfinfo.cc | 35 +++++++++++++++--------------------
+ 1 file changed, 15 insertions(+), 20 deletions(-)
+
+diff --git a/utils/pdfinfo.cc b/utils/pdfinfo.cc
+index 5d37ef64f..7d569749b 100644
+--- a/utils/pdfinfo.cc
++++ b/utils/pdfinfo.cc
+@@ -15,7 +15,7 @@
+ // under GPL version 2 or later
+ //
+ // Copyright (C) 2006 Dom Lachowicz <cinamod@hotmail.com>
+-// Copyright (C) 2007-2010, 2012, 2016-2022 Albert Astals Cid <aacid@kde.org>
++// Copyright (C) 2007-2010, 2012, 2016-2022, 2024 Albert Astals Cid <aacid@kde.org>
+ // Copyright (C) 2010 Hib Eris <hib@hiberis.nl>
+ // Copyright (C) 2011 Vittal Aithal <vittal.aithal@cognidox.com>
+ // Copyright (C) 2012, 2013, 2016-2018, 2021 Adrian Johnson <ajohnson@redneon.com>
+@@ -112,18 +112,23 @@ static const ArgDesc argDesc[] = { { "-f", argInt, &firstPage, 0, "first page to
+                                    { "-?", argFlag, &printHelp, 0, "print usage information" },
+                                    {} };
+ 
+-static void printTextString(const GooString *s, const UnicodeMap *uMap)
++static void printStdTextString(const std::string &s, const UnicodeMap *uMap)
+ {
+     Unicode *u;
+     char buf[8];
+-    int len = TextStringToUCS4(s->toStr(), &u);
++    int len = TextStringToUCS4(s, &u);
+     for (int i = 0; i < len; i++) {
+         int n = uMap->mapUnicode(u[i], buf, sizeof(buf));
+         fwrite(buf, 1, n, stdout);
+     }
+     gfree(u);
+ }
+ 
++static void printTextString(const GooString *s, const UnicodeMap *uMap)
++{
++    printStdTextString(s->toStr(), uMap);
++}
++
+ static void printUCS4String(const Unicode *u, int len, const UnicodeMap *uMap)
+ {
+     char buf[8];
+@@ -295,11 +300,6 @@ static void printStruct(const StructElement *element, unsigned indent)
+     }
+ }
+ 
+-struct GooStringCompare
+-{
+-    bool operator()(GooString *lhs, GooString *rhs) const { return lhs->cmp(const_cast<GooString *>(rhs)) < 0; }
+-};
+-
+ static void printLinkDest(const std::unique_ptr<LinkDest> &dest)
+ {
+     GooString s;
+@@ -370,29 +370,25 @@ static void printLinkDest(const std::unique_ptr<LinkDest> &dest)
+ 
+ static void printDestinations(PDFDoc *doc, const UnicodeMap *uMap)
+ {
+-    std::map<Ref, std::map<GooString *, std::unique_ptr<LinkDest>, GooStringCompare>> map;
++    std::map<Ref, std::map<std::string, std::unique_ptr<LinkDest>>> map;
+ 
+     int numDests = doc->getCatalog()->numDestNameTree();
+     for (int i = 0; i < numDests; i++) {
+-        GooString *name = new GooString(doc->getCatalog()->getDestNameTreeName(i));
++        const GooString *name = doc->getCatalog()->getDestNameTreeName(i);
+         std::unique_ptr<LinkDest> dest = doc->getCatalog()->getDestNameTreeDest(i);
+-        if (dest && dest->isPageRef()) {
++        if (name && dest && dest->isPageRef()) {
+             Ref pageRef = dest->getPageRef();
+-            map[pageRef].insert(std::make_pair(name, std::move(dest)));
+-        } else {
+-            delete name;
++            map[pageRef].insert(std::make_pair(name->toStr(), std::move(dest)));
+         }
+     }
+ 
+     numDests = doc->getCatalog()->numDests();
+     for (int i = 0; i < numDests; i++) {
+-        GooString *name = new GooString(doc->getCatalog()->getDestsName(i));
++        const char *name = doc->getCatalog()->getDestsName(i);
+         std::unique_ptr<LinkDest> dest = doc->getCatalog()->getDestsDest(i);
+-        if (dest && dest->isPageRef()) {
++        if (name && dest && dest->isPageRef()) {
+             Ref pageRef = dest->getPageRef();
+             map[pageRef].insert(std::make_pair(name, std::move(dest)));
+-        } else {
+-            delete name;
+         }
+     }
+ 
+@@ -406,9 +402,8 @@ static void printDestinations(PDFDoc *doc, const UnicodeMap *uMap)
+                     printf("%4d ", i);
+                     printLinkDest(it.second);
+                     printf(" \"");
+-                    printTextString(it.first, uMap);
++                    printStdTextString(it.first, uMap);
+                     printf("\"\n");
+-                    delete it.first;
+                 }
+             }
+         }
+-- 
+GitLab
+

backport-CVE-2025-32364.patch

@@ -0,0 +1,25 @@
+From d87bc726c7cc98f8c26b60ece5f20236e9de1bc3 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Mon, 24 Mar 2025 00:44:54 +0100
+Subject: [PATCH] PSStack::roll: Protect against doing int = -INT_MIN
+
+---
+ poppler/Function.cc | 2 +-
+ 1 file changed, 1 insertion(+),  deletion(-)
+
+diff --git a/poppler/Function.cc b/poppler/Function.cc
+index d84c4e350..f3168f191 100644
+--- a/poppler/Function.cc
++++ b/poppler/Function.cc
+@@ -1068,7 +1068,7 @@ void PSStack::roll(int n, int j)
+     PSObject obj;
+     int i, k;
+ 
+-    if (unlikely(n == 0)) {
++    if (unlikely(n == 0 || j == INT_MIN)) {
+         return;
+     }
+     if (j >= 0) {
+-- 
+GitLab
+

backport-CVE-2025-32365.patch

@@ -0,0 +1,37 @@
+From 1f151565bbca5be7449ba8eea6833051cc1baa41 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Mon, 31 Mar 2025 14:35:49 +0200
+Subject: [PATCH] Move isOk check to inside JBIG2Bitmap::combine
+
+---
+ poppler/JBIG2Stream.cc | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
+index cf9e0c984..4e81d4a8c 100644
+--- a/poppler/JBIG2Stream.cc
++++ b/poppler/JBIG2Stream.cc
+@@ -768,6 +768,9 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int combOp
+     unsigned int src0, src1, src, dest, s1, s2, m1, m2, m3;
+     bool oneByte;
+ 
++    if (unlikely(!isOk())) {
++        return;
++    }
+     // check for the pathological case where y = -2^31
+     if (y < -0x7fffffff) {
+         return;
+@@ -2198,9 +2201,7 @@ void JBIG2Stream::readTextRegionSeg(unsigned int segNum, bool imm, bool lossless
+             if (pageH == 0xffffffff && y + h > curPageH) {
+                 pageBitmap->expand(y + h, pageDefPixel);
+             }
+-            if (pageBitmap->isOk()) {
+-                pageBitmap->combine(bitmap.get(), x, y, extCombOp);
+-            }
++            pageBitmap->combine(bitmap.get(), x, y, extCombOp);
+ 
+             // store the region bitmap
+         } else {
+-- 
+GitLab
+

backport-CVE-2025-43903.patch

@@ -0,0 +1,44 @@
+From f1b9c830f145a0042e853d6462b2f9ca4016c669 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Juraj=20=C5=A0arinay?= <juraj@sarinay.com>
+Date: Thu, 6 Mar 2025 02:02:56 +0100
+Subject: [PATCH] Properly verify adbe.pkcs7.sha1 signatures.
+
+For signatures with non-empty encapsulated content
+(typically adbe.pkcs7.sha1), we only compared hash values and
+never actually checked SignatureValue within SignerInfo.
+The bug introduced by c7c0207b1cfe49a4353d6cda93dbebef4508138f
+made trivial signature forgeries possible. Fix this by calling
+NSS_CMSSignerInfo_Verify() after the hash values compare equal.
+---
+ poppler/NSSCryptoSignBackend.cc | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/poppler/NSSCryptoSignBackend.cc b/poppler/NSSCryptoSignBackend.cc
+index 521137d6b..eeea26ee3 100644
+--- a/poppler/NSSCryptoSignBackend.cc
++++ b/poppler/NSSCryptoSignBackend.cc
+@@ -877,13 +877,18 @@ SignatureValidationStatus NSSSignatureVerification::validateSignature()
+           This means it's not a detached type signature
+           so the digest is contained in SignedData->contentInfo
+         */
+-        if (digest.len == content_info_data->len && memcmp(digest.data, content_info_data->data, digest.len) == 0) {
+-            return SIGNATURE_VALID;
+-        } else {
++        if (digest.len != content_info_data->len || memcmp(digest.data, content_info_data->data, digest.len) != 0) {
+             return SIGNATURE_DIGEST_MISMATCH;
+         }
+
+-    } else if (NSS_CMSSignerInfo_Verify(CMSSignerInfo, &digest, nullptr) != SECSuccess) {
++        auto innerHashContext = HashContext::create(hashContext->getHashAlgorithm());
++        innerHashContext->updateHash(content_info_data->data, content_info_data->len);
++        digest_buffer = innerHashContext->endHash();
++        digest.data = digest_buffer.data();
++        digest.len = digest_buffer.size();
++    }
++
++    if (NSS_CMSSignerInfo_Verify(CMSSignerInfo, &digest, nullptr) != SECSuccess) {
+         return NSS_SigTranslate(CMSSignerInfo->verificationStatus);
+     } else {
+         return SIGNATURE_VALID;
+--
+GitLab

poppler.spec

@@ -1,6 +1,6 @@
 %global test_sha 03a4b9eb854a06a83c465e82de601796c458bbe9
 %global test_date 2021-01-11
-%ifarch loongarch64
+%ifarch loongarch64 sw_64
 %global qt6 0
 %else
 %global qt6 1
@@ -8,7 +8,7 @@
 
 Name:    poppler
 Version: 23.12.0
-Release: 2
+Release: 7
 Summary: PDF rendering library
 License: GPLv2+ and LGPLv2+ and MIT
 URL:     http://poppler.freedesktop.org/
@@ -18,6 +18,12 @@ Source1: %{name}-test-%{test_date}-%{test_sha}.tar.xz
 Patch1:  poppler-0.90.0-position-independent-code.patch
 Patch3:  poppler-21.01.0-glib-introspection.patch
 
+Patch6000: backport-CVE-2024-6239.patch
+Patch6001: backport-CVE-2024-56378.patch
+Patch6002: backport-CVE-2025-32364.patch
+Patch6003: backport-CVE-2025-32365.patch
+Patch6004: backport-CVE-2025-43903.patch
+
 BuildRequires: make
 BuildRequires: cmake
 BuildRequires: gcc-c++
@@ -166,7 +172,9 @@ cd build
   -DENABLE_LIBOPENJPEG=openjpeg2 \
   -DENABLE_UNSTABLE_API_ABI_HEADERS=ON \
   -DENABLE_ZLIB=OFF \
-%ifarch loongarch64
+%if 0%{?qt6}
+  -DENABLE_QT6=ON \
+%else
   -DENABLE_QT6=OFF \
 %endif
   ..
@@ -260,6 +268,24 @@ test "$(pkg-config --modversion poppler-qt6)" = "%{version}"
 %{_mandir}/man1/*
 
 %changelog
+* Sun Apr 20 2025 zhangliangpengkun <zhangliangpengkun@xfusion.com> - 23.12.0-7
+- fix CVE-2025-43903
+
+* Mon Apr 07 2025 Funda Wang <fundawang@yeah.net> - 23.12.0-6
+- fix CVE-2025-32364, CVE-2025-32365
+
+* Fri Mar 28 2025 yueyaoqiang <yueyaoqiang@kylinos.cn> - 23.12.0-5
+- disable qt6 for sw_64
+
+* Mon Dec 23 2024 Funda Wang <fundawang@yeah.net> - 23.12.0-4
+- fix CVE-2024-56378
+
+* Tue Jun 25 2024 lingsheng <lingsheng1@h-partners.com> - 23.12.0-3
+- Type:CVE
+- CVE:CVE-2024-6239
+- SUG:NA
+- DESC:fix CVE-2024-6239
+
 * Tue Apr 16 2024 Wenlong Zhang <zhangwenlong@loongson.cn> - 23.12.0-2
 - disable qt6 for loongarch64