Bug 708241 - [RCE] Buffer overflow during serialization of DollarBlend in font
Summary: [RCE] Buffer overflow during serialization of DollarBlend in font
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: Security (public) (show other bugs)
Version: unspecified
Hardware: PC Linux
: P2 normal
Assignee: Chris Liddell (chrisl)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-01-09 10:53 UTC by zhutyra
Modified: 2025-03-20 11:44 UTC (History)
9 users (show)

See Also:
Customer:
Word Size: ---


Attachments
patch (2.23 KB, patch)
2025-01-09 10:53 UTC, zhutyra
Details | Diff
exploit (3.30 KB, application/postscript)
2025-01-09 10:53 UTC, zhutyra
Details

Note You need to log in before you can comment on or make changes to this bug.
Description zhutyra 2025-01-09 10:53:02 UTC
Created attachment 26352 [details]
patch

When determining the length of the "$Blend" array, an unsigned short is used, which can easily overflow and indicate an incorrect length. During the copying process, the entire array is copied, leading to a buffer overflow.
Comment 1 zhutyra 2025-01-09 10:53:53 UTC
Created attachment 26353 [details]
exploit

Exploit for x64 Linux.

gs -q -dNODISPLAY dollarblend.ps
Comment 2 Chris Liddell (chrisl) 2025-03-10 09:55:17 UTC
CVE-2025-27830