Highlights
Memory Corruption: 74 prior fixes. Scrutinize any change in this area.
poppler/JBIG2Stream.cc: most-fixed (54 issues). Treat as high-risk during review.
155 high-severity fixes in this history; regressions here are high-impact.
Recurring patterns
The bug types that recur here, drawn from past fixes, not open vulnerabilities.
Integer Overflow: Multiplications and additions in stream segment coordinates (e.g., width, height, refDX, refDY) frequently overflowed, bypassing allocation boundaries and leading to critical heap-based buffer overflows. Relying on unsafe arithmetic inside decode loops has repeatedly led to memory corruption.
Memory Safety: Manual raw pointer management and mismatched allocation/deallocation routines (e.g. gfree vs delete) historically caused wild frees, double frees, and memory corruption on parser error paths. Translating to RAII structures like std::vector and std::unique_ptr is crucial for safety.
Signature Bypass: PDF signatures could bypass cryptographic validation because the backend did not rigorously match SubFilter structures (e.g., adbe.pkcs7.sha1) with expected encapsulated content types, or failed to verify the ESSSigningCertificate attributes, allowing attackers to forge signatures.