708192 – [RCE] BJ10V device: Print buffer overflow

Bug 708192 - [RCE] BJ10V device: Print buffer overflow

Summary: [RCE] BJ10V device: Print buffer overflow

Status:	RESOLVED FIXED

Alias:	None

Product:	Ghostscript
Classification:	Unclassified
Component:	Security (public) (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P2 normal
Assignee:	Chris Liddell (chrisl)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-12-13 05:35 UTC by zhutyra
Modified:	2025-03-20 11:43 UTC (History)
CC List:	9 users (show)

See Also:
Customer:
Word Size:	---

Attachments
patch (1.98 KB, patch) 2024-12-13 05:35 UTC, zhutyra	Details \| Diff
exploit (3.49 KB, application/postscript) 2024-12-13 05:37 UTC, zhutyra	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description zhutyra 2024-12-13 05:35:58 UTC

Created attachment 26285 [details]
patch

In function "bj10v_print_page" during buffer allocation, integer overflow may occur when multiplying width and height, leading to allocation of a buffer that is shorter than needed, and subsequently a buffer overflow.

It would probably be nicer to make more changes, but I just added an overflow check.

Comment 1 zhutyra 2024-12-13 05:37:30 UTC

Created attachment 26286 [details]
exploit

Exploit for x64 Linux
gs -q -sDEVICE=bj10v -sOutputFile=/dev/null -dNOPAUSE bjbuf.ps

Comment 2 Chris Liddell (chrisl) 2025-03-10 09:54:56 UTC

CVE-2025-27836

Comment 3 Chris Liddell (chrisl) 2025-03-20 11:43:15 UTC

Applied:

https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=db77f4c0ce0