| Summary: | [RCE] NPDL device: Compression buffer overflow | ||
|---|---|---|---|
| Product: | Ghostscript | Reporter: | zhutyra |
| Component: | Security (public) | Assignee: | Chris Liddell (chrisl) <chris.liddell> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | carnil, dr, jsmeix, ken.sharp, marc.deslauriers, robin.watts, sam, till.kamppeter, zdohnal |
| Priority: | P2 | ||
| Version: | unspecified | ||
| Hardware: | PC | ||
| OS: | Linux | ||
| Customer: | Word Size: | --- | |
| Attachments: |
patch
exploit |
||
Created attachment 26194 [details]
exploit
Exploit for x64 Linux
gs -q -dNOPAUSE -sDEVICE=npdl -sOutputFile=/dev/null mhcompress.ps
Adopted, but "parked" until the next release. Thanks Zdenek. CVE-2025-27832 |
Created attachment 26193 [details] patch When the "npdl" device allocates a compression buffer, an integer overflow can occur during the multiplication of width and height, leading to allocation of a buffer that is shorter than needed, and subsequently a buffer overflow.