708131 – [RCE] Buffer overflow when converting glyphs to unicode

Bug 708131 - [RCE] Buffer overflow when converting glyphs to unicode

Summary: [RCE] Buffer overflow when converting glyphs to unicode

Status:	RESOLVED FIXED

Alias:	None

Product:	Ghostscript
Classification:	Unclassified
Component:	Security (public) (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P2 normal
Assignee:	Chris Liddell (chrisl)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-11-12 03:20 UTC by zhutyra
Modified:	2025-03-20 11:21 UTC (History)
CC List:	9 users (show)

See Also:
Customer:
Word Size:	---

Attachments
patch (537 bytes, patch) 2024-11-12 03:20 UTC, zhutyra	Details \| Diff
exploit (3.34 KB, application/postscript) 2024-11-12 03:21 UTC, zhutyra	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description zhutyra 2024-11-12 03:20:04 UTC

Created attachment 26189 [details]
patch

It seems that in the conversion of glyphs to Unicode, there was once a transition from counting in shorts to counting in bytes, and the function `zbfont.c:gs_font_map_glyph_to_unicode` mistakenly copies twice the amount of data. The result is an overflow of the destination buffer.

Comment 1 zhutyra 2024-11-12 03:21:06 UTC

Created attachment 26190 [details]
exploit

Exploit for x64 Linux
gs -q -sDEVICE=txtwrite -sOutputFile=/dev/null glyphunicode.ps

Comment 2 Chris Liddell (chrisl) 2024-11-21 11:14:13 UTC

Adopted, but "parked" until the next release.

Thanks Zdenek.

Comment 3 Chris Liddell (chrisl) 2025-03-10 09:53:46 UTC

CVE-2025-27835

Comment 4 Chris Liddell (chrisl) 2025-03-20 11:21:22 UTC

Applied:
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=920fae68870