Bug 708131 - [RCE] Buffer overflow when converting glyphs to unicode
Summary: [RCE] Buffer overflow when converting glyphs to unicode
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: Security (public) (show other bugs)
Version: unspecified
Hardware: PC Linux
: P2 normal
Assignee: Chris Liddell (chrisl)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-11-12 03:20 UTC by zhutyra
Modified: 2025-03-20 11:21 UTC (History)
9 users (show)

See Also:
Customer:
Word Size: ---


Attachments
patch (537 bytes, patch)
2024-11-12 03:20 UTC, zhutyra
Details | Diff
exploit (3.34 KB, application/postscript)
2024-11-12 03:21 UTC, zhutyra
Details

Note You need to log in before you can comment on or make changes to this bug.
Description zhutyra 2024-11-12 03:20:04 UTC
Created attachment 26189 [details]
patch

It seems that in the conversion of glyphs to Unicode, there was once a transition from counting in shorts to counting in bytes, and the function `zbfont.c:gs_font_map_glyph_to_unicode` mistakenly copies twice the amount of data. The result is an overflow of the destination buffer.
Comment 1 zhutyra 2024-11-12 03:21:06 UTC
Created attachment 26190 [details]
exploit

Exploit for x64 Linux
gs -q -sDEVICE=txtwrite -sOutputFile=/dev/null glyphunicode.ps
Comment 2 Chris Liddell (chrisl) 2024-11-21 11:14:13 UTC
Adopted, but "parked" until the next release.

Thanks Zdenek.
Comment 3 Chris Liddell (chrisl) 2025-03-10 09:53:46 UTC
CVE-2025-27835