Bug 708259

Summary:	[RCE] Buffer overflow with long TTF font name
Product:	Ghostscript	Reporter:	zhutyra
Component:	Security (public)	Assignee:	Chris Liddell (chrisl) <chris.liddell>
Status:	RESOLVED FIXED
Severity:	normal	CC:	carnil, dr, jsmeix, ken.sharp, marc.deslauriers, robin.watts, sam, till.kamppeter, zdohnal
Priority:	P2
Version:	unspecified
Hardware:	PC
OS:	Linux
Customer:		Word Size:	---
Attachments:	patch trigger exploit

Description zhutyra 2025-01-20 03:54:36 UTC

Created attachment 26370 [details]
patch

The function "pdfi_ttf_add_to_native_map" does not check the length of the name before copying it to the destination buffer.

Comment 1 zhutyra 2025-01-20 03:58:23 UTC

Created attachment 26371 [details]
trigger

This requires an external font, so this is the font.

Comment 2 zhutyra 2025-01-20 03:59:18 UTC

Created attachment 26372 [details]
exploit

And this then exploits the overflow if the above font is in ./fonts. For x64 Linux.

gs -q -sFONTPATH=$PWD/fonts -dNODISPLAY fontname.ps

Comment 3 Chris Liddell (chrisl) 2025-03-10 09:55:38 UTC

CVE-2025-27833

Comment 4 Chris Liddell (chrisl) 2025-03-13 09:28:31 UTC

Fixed:

https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=477e36cfa1f