Created attachment 26285 [details] patch In function "bj10v_print_page" during buffer allocation, integer overflow may occur when multiplying width and height, leading to allocation of a buffer that is shorter than needed, and subsequently a buffer overflow. It would probably be nicer to make more changes, but I just added an overflow check.
Created attachment 26286 [details] exploit Exploit for x64 Linux gs -q -sDEVICE=bj10v -sOutputFile=/dev/null -dNOPAUSE bjbuf.ps
CVE-2025-27836
Applied: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=db77f4c0ce0