diffstat for poppler-26.01.0 poppler-26.01.0

 changelog                                                          |    8 +
 patches/SplashOutputDev-Fix-integer-overflow-in-tilingPatter.patch |   41 ++++++++++
 patches/series                                                     |    1 
 3 files changed, 50 insertions(+)

diff -Nru poppler-26.01.0/debian/changelog poppler-26.01.0/debian/changelog
--- poppler-26.01.0/debian/changelog	2026-05-31 23:12:29.000000000 +0200
+++ poppler-26.01.0/debian/changelog	2026-06-02 19:08:52.000000000 +0200
@@ -1,3 +1,11 @@
+poppler (26.01.0-4.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * SplashOutputDev: Fix integer overflow in tilingPatternFill (CVE-2026-10118)
+    (Closes: #1138708)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Tue, 02 Jun 2026 19:08:52 +0200
+
 poppler (26.01.0-4) unstable; urgency=medium
 
   * Team upload
diff -Nru poppler-26.01.0/debian/patches/SplashOutputDev-Fix-integer-overflow-in-tilingPatter.patch poppler-26.01.0/debian/patches/SplashOutputDev-Fix-integer-overflow-in-tilingPatter.patch
--- poppler-26.01.0/debian/patches/SplashOutputDev-Fix-integer-overflow-in-tilingPatter.patch	1970-01-01 01:00:00.000000000 +0100
+++ poppler-26.01.0/debian/patches/SplashOutputDev-Fix-integer-overflow-in-tilingPatter.patch	2026-06-02 19:08:27.000000000 +0200
@@ -0,0 +1,41 @@
+From: Marek Kasik <mkasik@redhat.com>
+Date: Thu, 21 May 2026 17:51:51 +0200
+Subject: SplashOutputDev: Fix integer overflow in tilingPatternFill
+Origin: https://gitlab.freedesktop.org/poppler/poppler/-/commit/8352264766652b98336e92359a70b3161a9ab97a
+Bug-Debian: https://bugs.debian.org/1138708
+Bug: https://gitlab.freedesktop.org/poppler/poppler/-/work_items/1715
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2026-10118
+
+Use checkedMultiply() to check integer multiplication of surface size
+and number of repetitions to avoid integer overflow and possible memory issues.
+
+Fixes: #1715
+---
+ poppler/SplashOutputDev.cc | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/poppler/SplashOutputDev.cc b/poppler/SplashOutputDev.cc
+index ff3ad0eff015..f055486c36f4 100644
+--- a/poppler/SplashOutputDev.cc
++++ b/poppler/SplashOutputDev.cc
+@@ -4327,7 +4328,7 @@ bool SplashOutputDev::tilingPatternFill(GfxState *state, Gfx *gfxA, Catalog * /*
+     matc[2] = ctm[2];
+     matc[3] = ctm[3];
+ 
+-    if (surface_width == 0 || surface_height == 0 || repeatX * repeatY <= 4) {
++    if (surface_width == 0 || surface_height == 0 || repeatX * repeatY <= 4 || checkedMultiply(surface_width, repeatX, &result_width) || checkedMultiply(surface_height, repeatY, &result_height)) {
+         state->setCTM(savedCTM[0], savedCTM[1], savedCTM[2], savedCTM[3], savedCTM[4], savedCTM[5]);
+         return false;
+     }
+@@ -4349,8 +4350,6 @@ bool SplashOutputDev::tilingPatternFill(GfxState *state, Gfx *gfxA, Catalog * /*
+         kx = matc[0];
+         ky = matc[3] - (matc[1] * matc[2]) / matc[0];
+     }
+-    result_width = surface_width * repeatX;
+-    result_height = surface_height * repeatY;
+     kx = result_width / (fabs(kx) + 1);
+     ky = result_height / (fabs(ky) + 1);
+     state->concatCTM(kx, 0, 0, ky, 0, 0);
+-- 
+2.53.0
+
diff -Nru poppler-26.01.0/debian/patches/series poppler-26.01.0/debian/patches/series
--- poppler-26.01.0/debian/patches/series	2026-05-31 23:12:29.000000000 +0200
+++ poppler-26.01.0/debian/patches/series	2026-06-02 19:07:37.000000000 +0200
@@ -0,0 +1 @@
+SplashOutputDev-Fix-integer-overflow-in-tilingPatter.patch