Bug 708192

Summary:	[RCE] BJ10V device: Print buffer overflow
Product:	Ghostscript	Reporter:	zhutyra
Component:	Security (public)	Assignee:	Chris Liddell (chrisl) <chris.liddell>
Status:	RESOLVED FIXED
Severity:	normal	CC:	carnil, dr, jsmeix, ken.sharp, marc.deslauriers, robin.watts, sam, till.kamppeter, zdohnal
Priority:	P2
Version:	unspecified
Hardware:	PC
OS:	Linux
Customer:		Word Size:	---
Attachments:	patch exploit

Description zhutyra 2024-12-13 05:35:58 UTC

Created attachment 26285 [details]
patch

In function "bj10v_print_page" during buffer allocation, integer overflow may occur when multiplying width and height, leading to allocation of a buffer that is shorter than needed, and subsequently a buffer overflow.

It would probably be nicer to make more changes, but I just added an overflow check.

Comment 1 zhutyra 2024-12-13 05:37:30 UTC

Created attachment 26286 [details]
exploit

Exploit for x64 Linux
gs -q -sDEVICE=bj10v -sOutputFile=/dev/null -dNOPAUSE bjbuf.ps

Comment 2 Chris Liddell (chrisl) 2025-03-10 09:54:56 UTC

CVE-2025-27836

Comment 3 Chris Liddell (chrisl) 2025-03-20 11:43:15 UTC

Applied:

https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=db77f4c0ce0