Submitted By:            Joe Locash <jlocash at gmail dot com>
Date:                    2025-11-20
Initial Package Version: 2.1.1
Upstream Status:         Applied
Origin:                  Upstream commits ce1174b and c726672
Description:             Fixes CVE-2025-57812 and CVE-2025-64503

From ce1174b47948b00818479aba96f8ea23e895fe42 Mon Sep 17 00:00:00 2001
From: zdohnal <zdohnal@redhat.com>
Date: Mon, 10 Nov 2025 18:58:31 +0100
Subject: [PATCH] Merge commit from fork

* Fix heap-buffer overflow write in cfImageLut

1. fix for CVE-2025-57812

* Reject color images with 1 bit per sample

2. fix for CVE-2025-57812

* Reject images where the number of samples does not correspond with the color space

3. fix for CVE-2025-57812

* Reject images with planar color configuration

4. fix for CVE-2025-57812

* Reject images with vertical scanlines

5.  fix for CVE-2025-57812

---------

Co-authored-by: Till Kamppeter <till.kamppeter@gmail.com>
---
 cupsfilters/image-tiff.c | 46 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 45 insertions(+), 1 deletion(-)

diff --git a/cupsfilters/image-tiff.c b/cupsfilters/image-tiff.c
index 20dfbaee6..748e2db63 100644
--- a/cupsfilters/image-tiff.c
+++ b/cupsfilters/image-tiff.c
@@ -41,6 +41,7 @@ _cfImageReadTIFF(
   TIFF		*tif;			// TIFF file
   uint32_t	width, height;		// Size of image
   uint16_t	photometric,		// Colorspace
+    planar,         // Color components in separate planes
 		compression,		// Type of compression
 		orientation,		// Orientation
 		resunit,		// Units for resolution
@@ -113,6 +114,15 @@ _cfImageReadTIFF(
     return (-1);
   }
 
+  if (TIFFGetField(tif, TIFFTAG_PLANARCONFIG, &planar) &&
+      planar == PLANARCONFIG_SEPARATE)
+  {
+    fputs("DEBUG: Images with planar color configuration are not supported!\n", stderr);
+    TIFFClose(tif);
+    fclose(fp);
+    return (1);
+  }
+
   if (!TIFFGetField(tif, TIFFTAG_COMPRESSION, &compression))
   {
     DEBUG_puts("DEBUG: No compression tag in the file!\n");
@@ -127,6 +137,15 @@ _cfImageReadTIFF(
   if (!TIFFGetField(tif, TIFFTAG_BITSPERSAMPLE, &bits))
     bits = 1;
 
+  if (bits == 1 && samples > 1)
+  {
+    fprintf(stderr, "ERROR: Color images with 1 bit per sample not supported! "
+                    "Samples per pixel: %d; Bits per sample: %d\n", samples, bits);
+    TIFFClose(tif);
+    fclose(fp);
+    return (1);
+  }
+
   //
   // Get the image orientation...
   //
@@ -193,6 +212,23 @@ _cfImageReadTIFF(
   else
     alpha = 0;
 
+  //
+  // Check whether number of samples per pixel corresponds with color space
+  //
+
+  if ((photometric == PHOTOMETRIC_RGB && (samples < 3 || samples > 4)) ||
+      (photometric == PHOTOMETRIC_SEPARATED && samples != 4))
+  {
+    fprintf(stderr, "DEBUG: Number of samples per pixel does not correspond to color space! "
+                    "Color space: %s; Samples per pixel: %d\n",
+                    (photometric == PHOTOMETRIC_RGB ? "RGB" :
+                     (photometric == PHOTOMETRIC_SEPARATED ? "CMYK" : "Unknown")),
+                    samples);
+    TIFFClose(tif);
+    fclose(fp);
+    return (1);
+  }
+
   //
   // Check the size of the image...
   //
@@ -265,6 +301,14 @@ _cfImageReadTIFF(
         break;
   }
 
+  if (orientation >= ORIENTATION_LEFTTOP)
+  {
+    fputs("ERROR: TIFF files with vertical scanlines are not supported!\n", stderr);
+    TIFFClose(tif);
+    fclose(fp);
+    return (-1);
+  }
+
   switch (orientation)
   {
     case ORIENTATION_TOPRIGHT :
@@ -1493,7 +1537,7 @@ _cfImageReadTIFF(
 	      }
 
 	      if (lut)
-	        cfImageLut(out, img->xsize * 3, lut);
+	        cfImageLut(out, img->xsize * bpp, lut);
 
               _cfImagePutRow(img, 0, y, img->xsize, out);
             }
From c726672e5bfd8b353f18a8c62ce27bc954552c16 Mon Sep 17 00:00:00 2001
From: Till Kamppeter <till.kamppeter@gmail.com>
Date: Mon, 10 Nov 2025 22:07:00 +0100
Subject: [PATCH] Fix out-of-bounds write in cfFilterPDFToRaster()

PDFs with too large page dimensions could cause an integer overflow and then a too small buffer for the pixel line to be allocated.

Fixed this by cropping the page size to the maximum allowed by the standard, 14400x14400pt, 200x200in, 5x5m

https://community.adobe.com/t5/indesign-discussions/maximum-width-of-a-pdf/td-p/9217372

Fixes CVE-2025-64503
---
 cupsfilters/pdftoraster.cxx | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/cupsfilters/pdftoraster.cxx b/cupsfilters/pdftoraster.cxx
index 3b50030a6..b52c75631 100644
--- a/cupsfilters/pdftoraster.cxx
+++ b/cupsfilters/pdftoraster.cxx
@@ -1610,6 +1610,20 @@ out_page(pdftoraster_doc_t *doc,
     doc->header.cupsPageSize[0] = l;
   else
     doc->header.cupsPageSize[1] = l;
+
+  //
+  // Maximum allowed page size for PDF is 200x200 inches (~ 5x5 m), or 14400x14400 pt
+  // https://community.adobe.com/t5/indesign-discussions/maximum-width-of-a-pdf/td-p/9217372
+  //
+  if (doc->header.cupsPageSize[0] > 14400) {
+    fprintf(stderr, "ERROR: Page width is %.2fpt, too large, cropping to 14400pt\n", doc->header.cupsPageSize[0]);
+    doc->header.cupsPageSize[0] = 14400;
+  }
+  if (doc->header.cupsPageSize[1] > 14400) {
+    fprintf(stderr, "ERROR: Page height is %.2fpt, too large, cropping to 14400pt\n", doc->header.cupsPageSize[1]);
+    doc->header.cupsPageSize[1] = 14400;
+  }
+
   if (rotate == 90 || rotate == 270)
   {
     doc->header.cupsImagingBBox[0] =