| Summary: | [RCE] Buffer overflow during serialization of DollarBlend in font | ||
|---|---|---|---|
| Product: | Ghostscript | Reporter: | zhutyra |
| Component: | Security (public) | Assignee: | Chris Liddell (chrisl) <chris.liddell> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | carnil, dr, jsmeix, ken.sharp, marc.deslauriers, robin.watts, sam, till.kamppeter, zdohnal |
| Priority: | P2 | ||
| Version: | unspecified | ||
| Hardware: | PC | ||
| OS: | Linux | ||
| Customer: | Word Size: | --- | |
| Attachments: |
patch
exploit |
||
Created attachment 26353 [details]
exploit
Exploit for x64 Linux.
gs -q -dNODISPLAY dollarblend.ps
CVE-2025-27830 |
Created attachment 26352 [details] patch When determining the length of the "$Blend" array, an unsigned short is used, which can easily overflow and indicate an incorrect length. During the copying process, the entire array is copied, leading to a buffer overflow.