File poppler-CVE-2025-11896.patch of Package poppler.41939

From 998c6a79571af968ba90af57a0c5dcbb5a53763c Mon Sep 17 00:00:00 2001
From: Sune Vuorela <sune@vuorela.dk>
Date: Mon, 13 Oct 2025 15:13:14 +0200
Subject: [PATCH] Limit recursion in cmap parsing

fixes #1632
---
 poppler/CMap.cc | 18 +++++++++++-------
 poppler/CMap.h  | 13 +++++++------
 2 files changed, 18 insertions(+), 13 deletions(-)

Index: poppler-0.43.0/poppler/CMap.cc
===================================================================
--- poppler-0.43.0.orig/poppler/CMap.cc
+++ poppler-0.43.0/poppler/CMap.cc
@@ -63,7 +63,7 @@ static int getCharFromStream(void *data)
 
 //------------------------------------------------------------------------
 
-CMap *CMap::parse(CMapCache *cache, GooString *collectionA, Object *obj) {
+CMap *CMap::parse(CMapCache *cache, GooString *collectionA, Object *obj, int recursion) {
   CMap *cMap;
   GooString *cMapNameA;
 
@@ -76,7 +76,7 @@ CMap *CMap::parse(CMapCache *cache, GooS
     }
     delete cMapNameA;
   } else if (obj->isStream()) {
-    if (!(cMap = CMap::parse(NULL, collectionA, obj->getStream()))) {
+    if (!(cMap = CMap::parse(NULL, collectionA, obj->getStream(), recursion + 1))) {
       error(errSyntaxError, -1, "Invalid CMap in Type 0 font");
     }
   } else {
@@ -115,14 +115,17 @@ CMap *CMap::parse(CMapCache *cache, GooS
   return cMap;
 }
 
-CMap *CMap::parse(CMapCache *cache, GooString *collectionA, Stream *str) {
+CMap *CMap::parse(CMapCache *cache, GooString *collectionA, Stream *str, int recursion) {
   Object obj1;
+  if (recursion > 50) {
+      return nullptr;
+  }
   CMap *cMap;
 
   cMap = new CMap(collectionA->copy(), NULL);
 
   if (!str->getDict()->lookup("UseCMap", &obj1)->isNull()) {
-    cMap->useCMap(cache, &obj1);
+    cMap->useCMap(cache, &obj1, recursion);
   }
   obj1.free();
 
@@ -358,10 +361,10 @@ void CMap::useCMap(CMapCache *cache, cha
   subCMap->decRefCnt();
 }
 
-void CMap::useCMap(CMapCache *cache, Object *obj) {
+void CMap::useCMap(CMapCache *cache, Object *obj, int recursion) {
   CMap *subCMap;
 
-  subCMap = CMap::parse(cache, collection, obj);
+  subCMap = CMap::parse(cache, collection, obj, recursion + 1);
   if (!subCMap) {
     return;
   }
Index: poppler-0.43.0/poppler/CMap.h
===================================================================
--- poppler-0.43.0.orig/poppler/CMap.h
+++ poppler-0.43.0/poppler/CMap.h
@@ -29,6 +29,7 @@
 #pragma interface
 #endif
 
+#include "Object.h"
 #include "poppler-config.h"
 #include "goo/gtypes.h"
 #include "CharTypes.h"
@@ -50,7 +51,7 @@ public:
 
   // Parse a CMap from <obj>, which can be a name or a stream.  Sets
   // the initial reference count to 1.  Returns NULL on failure.
-  static CMap *parse(CMapCache *cache, GooString *collectionA, Object *obj);
+  static CMap *parse(CMapCache *cache, GooString *collectionA, Object *obj, int recursion = 0);
 
   // Create the CMap specified by <collection> and <cMapName>.  Sets
   // the initial reference count to 1.  Returns NULL on failure.
@@ -59,7 +60,7 @@ public:
 
   // Parse a CMap from <str>.  Sets the initial reference count to 1.
   // Returns NULL on failure.
-  static CMap *parse(CMapCache *cache, GooString *collectionA, Stream *str);
+  static CMap *parse(CMapCache *cache, GooString *collectionA, Stream *str, int recursion);
 
   // Create the CMap specified by <collection> and <cMapName>.  Sets
   // the initial reference count to 1.
@@ -99,7 +100,7 @@ private:
   CMap(GooString *collectionA, GooString *cMapNameA);
   CMap(GooString *collectionA, GooString *cMapNameA, int wModeA);
   void useCMap(CMapCache *cache, char *useName);
-  void useCMap(CMapCache *cache, Object *obj);
+  void useCMap(CMapCache *cache, Object *obj, int recursion);
   void copyVector(CMapVectorEntry *dest, CMapVectorEntry *src);
   void addCIDs(Guint start, Guint end, Guint nBytes, CID firstCID);
   void freeCMapVector(CMapVectorEntry *vec);