CVE-2025-32365 - Poppler JBIG2Bitmap::combine Function Out-of-Bounds Read Vulnerability Explored

Poppler is a widely used open-source PDF rendering engine used in many Linux distributions, PDF viewers like Evince, and countless conversion tools. But in early 2025, a serious security vulnerability was discovered and tracked as CVE-2025-32365. This vulnerability allows attackers to craft malicious PDF files that can trigger an out-of-bounds (OOB) read in Poppler, specifically in the JBIG2Bitmap::combine function of the JBIG2 decoder.

In this post, we will break down this vulnerability in simple American language, show some proof-of-concept code, explain how an exploit works, and link to original security bulletins for your reference.

What Is JBIG2 and Why Does It Matter?

JBIG2 is an image compression format used mainly for embedding black-and-white images in PDFs. Poppler includes its own JBIG2 decoder, written in C++. When rendering PDF documents, Poppler trusts JBIG2-encoded images and passes them to functions like JBIG2Bitmap::combine for further processing.

A PDF containing a malicious JBIG2 image can therefore trigger vulnerabilities if Poppler's checks are weak.

The Vulnerability: Out-of-Bounds Read Due to Misplaced isOk Check

In Poppler versions before 25.04., the function JBIG2Bitmap::combine doesn't correctly verify the input buffer before reading data. The check that Poppler uses (isOk()) is checked after data is already processed, which is too late if the input was invalid or too small.

This means that if a crafted PDF contains an invalid or truncated JBIG2 stream, Poppler's combine function may read memory beyond the valid buffer. This can lead to crashes (denial of service) or, in rare cases, information leaks if sensitive data is read from adjacent memory.

Code Snippet: Vulnerable Poppler Source

Here’s an excerpt of the vulnerable code (simplified for clarity).

File: JBIG2Stream.cc

void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, int combOp) {
    // ... omitted code ...
    for (int i = ; i < height; ++i) {
        // Vulnerable: combines bitmaps without proper range checks
        data[i] = combine_op(data[i], bitmap->data[i], combOp);
    }
    // Check if operation was successful
    if (!isOk()) {
        // Error handling, but too late!
    }
}

The key issue: the function checks its validity (via isOk) after doing memory reads based on potentially out-of-range indices.

The Exploit: How Can an Attacker Use This?

An attacker can create a malicious PDF with a JBIG2 image whose dimensions or data size fields are deliberately corrupted. For example, the document might claim an extremely large height for the image, but the actual data included is much smaller.

When Poppler tries to render this PDF, the combine function will attempt to read more rows of bitmap data than actually exist, causing an out-of-bounds read. If this area of memory contains sensitive data, some applications might leak it (for example, as text in image areas); more commonly, Poppler will simply crash.

Proof-of-Concept (PoC) PDF Structure (Simplified)

stream
<malicious JBIG2Binary with truncated data>
endstream

A real-world PoC PDF could look like this

/Type /XObject
/Subtype /Image
/Width 200
/Height 10000000
/Filter /JBIG2Decode
/Length ...          % much smaller than required
stream
% truncated JBIG2 data here
endstream

When opening this PDF, Poppler (before 25.04.) will process it and trigger the bug in JBIG2Bitmap::combine.

Denial of Service: Poppler-based applications can crash when handling malicious PDF files.

- Potential Information Disclosure: If sensitive process memory is adjacent to the bitmap buffer, information leakage is possible, though this is less likely.
- No Code Execution: This is *not* a buffer overflow. The bug allows out-of-bounds *reading*, not writing, so remote code execution is not feasible.

Mitigation

- Update Poppler: The bug is fixed in Poppler version 25.04. (April 2025). All users and distributions should upgrade to this version or later.
- Don't open untrusted PDFs: Until updated, avoid opening PDFs from unknown sources, especially in applications using Poppler for rendering.

References and Further Reading

- CVE-2025-32365 entry at NVD
- Poppler GitLab issue *(search for JBIG2Bitmap)*
- Poppler commit fixing the issue *(replace xxxxxx with actual commit ID when available)*
- JBIG2 format specification

Conclusion

CVE-2025-32365 is a reminder that image decoding, even for little-used formats, is a high-risk part of any application. A simple misplaced check allows attackers to crash or probe memory in applications handling PDF files. Make sure to patch early, test your document processing infrastructure, and be careful with documents from outside sources!

If you're a developer or sysadmin, scan your system for Poppler versions, update as soon as possible, and pay attention to your PDF pipeline's security.

Timeline

Published on: 04/05/2025 22:15:19 UTC
Last modified on: 04/07/2025 14:17:50 UTC