708133 – [RCE] NPDL device: Compression buffer overflow

Bug 708133 - [RCE] NPDL device: Compression buffer overflow

Summary: [RCE] NPDL device: Compression buffer overflow

Status:	RESOLVED FIXED

Alias:	None

Product:	Ghostscript
Classification:	Unclassified
Component:	Security (public) (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P2 normal
Assignee:	Chris Liddell (chrisl)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-11-12 03:24 UTC by zhutyra
Modified:	2025-03-20 11:23 UTC (History)
CC List:	9 users (show)

See Also:
Customer:
Word Size:	---

Attachments
patch (1.06 KB, patch) 2024-11-12 03:24 UTC, zhutyra	Details \| Diff
exploit (5.28 KB, application/postscript) 2024-11-12 03:25 UTC, zhutyra	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description zhutyra 2024-11-12 03:24:42 UTC

Created attachment 26193 [details]
patch

When the "npdl" device allocates a compression buffer, an integer overflow can occur during the multiplication of width and height, leading to allocation of a buffer that is shorter than needed, and subsequently a buffer overflow.

Comment 1 zhutyra 2024-11-12 03:25:19 UTC

Created attachment 26194 [details]
exploit

Exploit for x64 Linux
gs -q -dNOPAUSE -sDEVICE=npdl -sOutputFile=/dev/null mhcompress.ps

Comment 2 Chris Liddell (chrisl) 2024-11-21 11:14:56 UTC

Adopted, but "parked" until the next release.

Thanks Zdenek.

Comment 3 Chris Liddell (chrisl) 2025-03-10 09:54:10 UTC

CVE-2025-27832

Comment 4 Chris Liddell (chrisl) 2025-03-20 11:23:05 UTC

Applied:
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=36ac25fca7b