Bug 708192 - [RCE] BJ10V device: Print buffer overflow
Summary: [RCE] BJ10V device: Print buffer overflow
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: Security (public) (show other bugs)
Version: unspecified
Hardware: PC Linux
: P2 normal
Assignee: Chris Liddell (chrisl)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-12-13 05:35 UTC by zhutyra
Modified: 2025-03-20 11:43 UTC (History)
9 users (show)

See Also:
Customer:
Word Size: ---


Attachments
patch (1.98 KB, patch)
2024-12-13 05:35 UTC, zhutyra
Details | Diff
exploit (3.49 KB, application/postscript)
2024-12-13 05:37 UTC, zhutyra
Details

Note You need to log in before you can comment on or make changes to this bug.
Description zhutyra 2024-12-13 05:35:58 UTC
Created attachment 26285 [details]
patch

In function "bj10v_print_page" during buffer allocation, integer overflow may occur when multiplying width and height, leading to allocation of a buffer that is shorter than needed, and subsequently a buffer overflow.

It would probably be nicer to make more changes, but I just added an overflow check.
Comment 1 zhutyra 2024-12-13 05:37:30 UTC
Created attachment 26286 [details]
exploit

Exploit for x64 Linux
gs -q -sDEVICE=bj10v -sOutputFile=/dev/null -dNOPAUSE bjbuf.ps
Comment 2 Chris Liddell (chrisl) 2025-03-10 09:54:56 UTC
CVE-2025-27836