Bug 708131

Summary:	[RCE] Buffer overflow when converting glyphs to unicode
Product:	Ghostscript	Reporter:	zhutyra
Component:	Security (public)	Assignee:	Chris Liddell (chrisl) <chris.liddell>
Status:	RESOLVED FIXED
Severity:	normal	CC:	carnil, dr, jsmeix, ken.sharp, marc.deslauriers, robin.watts, sam, till.kamppeter, zdohnal
Priority:	P2
Version:	unspecified
Hardware:	PC
OS:	Linux
Customer:		Word Size:	---
Attachments:	patch exploit

Description zhutyra 2024-11-12 03:20:04 UTC

Created attachment 26189 [details]
patch

It seems that in the conversion of glyphs to Unicode, there was once a transition from counting in shorts to counting in bytes, and the function `zbfont.c:gs_font_map_glyph_to_unicode` mistakenly copies twice the amount of data. The result is an overflow of the destination buffer.

Comment 1 zhutyra 2024-11-12 03:21:06 UTC

Created attachment 26190 [details]
exploit

Exploit for x64 Linux
gs -q -sDEVICE=txtwrite -sOutputFile=/dev/null glyphunicode.ps

Comment 2 Chris Liddell (chrisl) 2024-11-21 11:14:13 UTC

Adopted, but "parked" until the next release.

Thanks Zdenek.

Comment 3 Chris Liddell (chrisl) 2025-03-10 09:53:46 UTC

CVE-2025-27835

Comment 4 Chris Liddell (chrisl) 2025-03-20 11:21:22 UTC

Applied:
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=920fae68870