File poppler-CVE-2025-43903.patch of Package poppler.40035

Index: poppler-24.03.0/poppler/NSSCryptoSignBackend.cc
===================================================================
--- poppler-24.03.0.orig/poppler/NSSCryptoSignBackend.cc
+++ poppler-24.03.0/poppler/NSSCryptoSignBackend.cc
@@ -953,13 +953,18 @@ SignatureValidationStatus NSSSignatureVe
           This means it's not a detached type signature
           so the digest is contained in SignedData->contentInfo
         */
-        if (digest.len == content_info_data->len && memcmp(digest.data, content_info_data->data, digest.len) == 0) {
-            return SIGNATURE_VALID;
-        } else {
+        if (digest.len != content_info_data->len || memcmp(digest.data, content_info_data->data, digest.len) != 0) {
             return SIGNATURE_DIGEST_MISMATCH;
         }
 
-    } else if (NSS_CMSSignerInfo_Verify(CMSSignerInfo, &digest, nullptr) != SECSuccess) {
+        auto innerHashContext = HashContext::create(hashContext->getHashAlgorithm());
+        innerHashContext->updateHash(content_info_data->data, content_info_data->len);
+        digest_buffer = innerHashContext->endHash();
+        digest.data = digest_buffer.data();
+        digest.len = digest_buffer.size();
+    }
+
+    if (NSS_CMSSignerInfo_Verify(CMSSignerInfo, &digest, nullptr) != SECSuccess) {
         return NSS_SigTranslate(CMSSignerInfo->verificationStatus);
     } else {
         return SIGNATURE_VALID;