Created attachment 26189 [details] patch It seems that in the conversion of glyphs to Unicode, there was once a transition from counting in shorts to counting in bytes, and the function `zbfont.c:gs_font_map_glyph_to_unicode` mistakenly copies twice the amount of data. The result is an overflow of the destination buffer.
Created attachment 26190 [details] exploit Exploit for x64 Linux gs -q -sDEVICE=txtwrite -sOutputFile=/dev/null glyphunicode.ps
Adopted, but "parked" until the next release. Thanks Zdenek.
CVE-2025-27835
Applied: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=920fae68870