Bug 708133 - [RCE] NPDL device: Compression buffer overflow
Summary: [RCE] NPDL device: Compression buffer overflow
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: Security (public) (show other bugs)
Version: unspecified
Hardware: PC Linux
: P2 normal
Assignee: Chris Liddell (chrisl)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-11-12 03:24 UTC by zhutyra
Modified: 2025-03-20 11:23 UTC (History)
9 users (show)

See Also:
Customer:
Word Size: ---


Attachments
patch (1.06 KB, patch)
2024-11-12 03:24 UTC, zhutyra
Details | Diff
exploit (5.28 KB, application/postscript)
2024-11-12 03:25 UTC, zhutyra
Details

Note You need to log in before you can comment on or make changes to this bug.
Description zhutyra 2024-11-12 03:24:42 UTC
Created attachment 26193 [details]
patch

When the "npdl" device allocates a compression buffer, an integer overflow can occur during the multiplication of width and height, leading to allocation of a buffer that is shorter than needed, and subsequently a buffer overflow.
Comment 1 zhutyra 2024-11-12 03:25:19 UTC
Created attachment 26194 [details]
exploit

Exploit for x64 Linux
gs -q -dNOPAUSE -sDEVICE=npdl -sOutputFile=/dev/null mhcompress.ps
Comment 2 Chris Liddell (chrisl) 2024-11-21 11:14:56 UTC
Adopted, but "parked" until the next release.

Thanks Zdenek.
Comment 3 Chris Liddell (chrisl) 2025-03-10 09:54:10 UTC
CVE-2025-27832