poppler/backport-CVE-2022-38784.patch

From 27354e9d9696ee2bc063910a6c9a6b27c5184a52 Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Thu, 25 Aug 2022 00:14:22 +0200
Subject: [PATCH] JBIG2Stream: Fix crash on broken file

https://github.com/jeffssh/CVE-2021-30860

Thanks to David Warren for the heads up

---
 poppler/JBIG2Stream.cc | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
index 25df3db..5a52f2d 100644
--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
@@ -2083,7 +2083,14 @@ void JBIG2Stream::readTextRegionSeg(Guint segNum, GBool imm,
   for (i = 0; i < nRefSegs; ++i) {
     if ((seg = findSegment(refSegs[i]))) {
       if (seg->getType() == jbig2SegSymbolDict) {
-	numSyms += ((JBIG2SymbolDict *)seg)->getSize();
+       Guint segSize = ((JBIG2SymbolDict *)seg)->getSize();
+       if (segSize > INT_MAX || numSyms > INT_MAX - segSize) {
+         error(errSyntaxError, getPos(),
+               "Too many symbols in JBIG2 text region");
+         delete codeTables;
+         return;
+       }
+       numSyms += segSize;
       } else if (seg->getType() == jbig2SegCodeTable) {
 	codeTables->append(seg);
       }
-- 
1.8.3.1