File poppler-CVE-2025-52886.patch of Package poppler.39582

From ac36affcc8486de38e8905a8d6547a3464ff46e5 Mon Sep 17 00:00:00 2001
From: Sune Vuorela <sune@vuorela.dk>
Date: Tue, 3 Jun 2025 00:35:19 +0200
Subject: [PATCH] Limit ammount of annots per document/page

---
 poppler/Annot.cc |  4 ++++
 poppler/Page.cc  | 16 ++++++++++++++++
 2 files changed, 20 insertions(+)

Index: poppler-0.79.0/poppler/Annot.cc
===================================================================
--- poppler-0.79.0.orig/poppler/Annot.cc
+++ poppler-0.79.0/poppler/Annot.cc
@@ -1511,6 +1511,10 @@ void Annot::removeReferencedObjects() {
 }
 
 void Annot::incRefCnt() {
+  if (refCnt > 100000) {
+    error(errSyntaxError, -1, "Annotations likely malformed. Too many references. Stopping processing annots on page {0:d}", page);
+    return;
+  }
   refCnt++;
 }
 
Index: poppler-0.79.0/poppler/Page.cc
===================================================================
--- poppler-0.79.0.orig/poppler/Page.cc
+++ poppler-0.79.0/poppler/Page.cc
@@ -282,6 +282,22 @@ Page::Page(PDFDoc *docA, int numA, Objec
     goto err2;
   }
 
+  if (annotsObj.isArray() && annotsObj.arrayGetLength() > 10000) {
+    error(errSyntaxError, -1, "Page annotations object (page {0:d}) is likely malformed. Too big: ({1:d})", num, annotsObj.arrayGetLength());
+    goto err2;
+  }
+  if (annotsObj.isRef()) {
+    auto resolvedObj = getAnnotsObject();
+    if (resolvedObj.isArray() && resolvedObj.arrayGetLength() > 10000) {
+      error(errSyntaxError, -1, "Page annotations object (page {0:d}) is likely malformed. Too big: ({1:d})", num, resolvedObj.arrayGetLength());
+      goto err2;
+    }
+    if (!resolvedObj.isArray() && !resolvedObj.isNull()) {
+      error(errSyntaxError, -1, "Page annotations object (page {0:d}) is wrong type ({1:s})", num, resolvedObj.getTypeName());
+      goto err2;
+    }
+  }
+
   // contents
   contents = pageObj.dictLookupNF("Contents").copy();
   if (!(contents.isRef() || contents.isArray() ||