708241 – [RCE] Buffer overflow during serialization of DollarBlend in font

Bug 708241 - [RCE] Buffer overflow during serialization of DollarBlend in font

Summary: [RCE] Buffer overflow during serialization of DollarBlend in font

Status:	RESOLVED FIXED

Alias:	None

Product:	Ghostscript
Classification:	Unclassified
Component:	Security (public) (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P2 normal
Assignee:	Chris Liddell (chrisl)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-01-09 10:53 UTC by zhutyra
Modified:	2025-03-20 11:44 UTC (History)
CC List:	9 users (show)

See Also:
Customer:
Word Size:	---

Attachments
patch (2.23 KB, patch) 2025-01-09 10:53 UTC, zhutyra	Details \| Diff
exploit (3.30 KB, application/postscript) 2025-01-09 10:53 UTC, zhutyra	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description zhutyra 2025-01-09 10:53:02 UTC

Created attachment 26352 [details]
patch

When determining the length of the "$Blend" array, an unsigned short is used, which can easily overflow and indicate an incorrect length. During the copying process, the entire array is copied, leading to a buffer overflow.

Comment 1 zhutyra 2025-01-09 10:53:53 UTC

Created attachment 26353 [details]
exploit

Exploit for x64 Linux.

gs -q -dNODISPLAY dollarblend.ps

Comment 2 Chris Liddell (chrisl) 2025-03-10 09:55:17 UTC

CVE-2025-27830

Comment 3 Chris Liddell (chrisl) 2025-03-13 09:30:09 UTC

Fixed:

https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=dc17ab3fe8c