From 785c1cdac8b903e6d511509f7f6be29577b4d5b3 Mon Sep 17 00:00:00 2001
From: lingsheng <860373352@qq.com>
Date: Thu, 24 Jul 2025 15:49:51 +0800
Subject: [PATCH] fix CVE-2025-52886

(cherry picked from commit 14c8b069f13ce82bb5c988b4e53aae3d53d42d13)
---
 backport-CVE-2025-52886.patch | 55 +++++++++++++++++++++++++++++++++++
 poppler.spec                  |  6 +++-
 2 files changed, 60 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2025-52886.patch

diff --git a/backport-CVE-2025-52886.patch b/backport-CVE-2025-52886.patch
new file mode 100644
index 0000000..ded0a03
--- /dev/null
+++ b/backport-CVE-2025-52886.patch
@@ -0,0 +1,55 @@
+From ac36affcc8486de38e8905a8d6547a3464ff46e5 Mon Sep 17 00:00:00 2001
+From: Sune Vuorela <sune@vuorela.dk>
+Date: Tue, 3 Jun 2025 00:35:19 +0200
+Subject: [PATCH] Limit ammount of annots per document/page
+
+---
+ poppler/Annot.cc |  4 ++++
+ poppler/Page.cc  | 16 ++++++++++++++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/poppler/Annot.cc b/poppler/Annot.cc
+index 87f5791..0898a97 100644
+--- a/poppler/Annot.cc
++++ b/poppler/Annot.cc
+@@ -1501,6 +1501,10 @@ void Annot::removeReferencedObjects() {
+ }
+ 
+ void Annot::incRefCnt() {
++    if (refCnt > 100000) {
++      error(errSyntaxError, -1, "Annotations likely malformed. Too many references. Stopping processing annots on page {0:d}", page);
++      return;
++    }
+   refCnt++;
+ }
+ 
+diff --git a/poppler/Page.cc b/poppler/Page.cc
+index a875f7b..4def6e2 100644
+--- a/poppler/Page.cc
++++ b/poppler/Page.cc
+@@ -285,6 +285,22 @@ Page::Page(PDFDoc *docA, int numA, Object &&pageDict, Ref pageRefA, PageAttrs *a
+     goto err2;
+   }
+ 
++    if (annotsObj.isArray() && annotsObj.arrayGetLength() > 10000) {
++        error(errSyntaxError, -1, "Page annotations object (page {0:d}) is likely malformed. Too big: ({1:d})", num, annotsObj.arrayGetLength());
++        goto err2;
++    }
++    if (annotsObj.isRef()) {
++        auto resolvedObj = getAnnotsObject();
++        if (resolvedObj.isArray() && resolvedObj.arrayGetLength() > 10000) {
++            error(errSyntaxError, -1, "Page annotations object (page {0:d}) is likely malformed. Too big: ({1:d})", num, resolvedObj.arrayGetLength());
++            goto err2;
++        }
++        if (!resolvedObj.isArray() && !resolvedObj.isNull()) {
++            error(errSyntaxError, -1, "Page annotations object (page {0:d}) is wrong type ({1:s})", num, resolvedObj.getTypeName());
++            goto err2;
++        }
++    }
++
+   // contents
+   contents = pageObj.dictLookupNF("Contents").copy();
+   if (!(contents.isRef() || contents.isArray() ||
+-- 
+2.33.0
+
diff --git a/poppler.spec b/poppler.spec
index 01ae74a..5b0c577 100644
--- a/poppler.spec
+++ b/poppler.spec
@@ -4,7 +4,7 @@
 Summary:        PDF rendering library
 Name:           poppler
 Version:        0.90.0
-Release:        11
+Release:        12
 License:        (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT
 URL:            http://poppler.freedesktop.org/
 Source0:        http://poppler.freedesktop.org/poppler-%{version}.tar.xz
@@ -28,6 +28,7 @@ Patch6010:	backport-CVE-2024-4141.patch
 Patch6011:	backport-CVE-2024-56378.patch
 Patch6012:      backport-CVE-2025-32364.patch
 Patch6013:      backport-CVE-2025-32365.patch
+Patch6014:      backport-CVE-2025-52886.patch
 
 BuildRequires:  cmake
 BuildRequires:  gcc-c++
@@ -227,6 +228,9 @@ test "$(pkg-config --modversion poppler-splash)" = "%{version}"
 %{_mandir}/man1/*
 
 %changelog
+* Thu Jul 24 2025 lingsheng <lingsheng1@h-partners.com> - 0.90.0-12
+- fix CVE-2025-52886
+
 * Sun Apr 06 2025 Funda Wang <fundawang@yeah.net> - 0.90.0-11
 - fix CVE-2025-32364, CVE-2025-32365
 
-- 
Gitee