Created attachment 26370 [details] patch The function "pdfi_ttf_add_to_native_map" does not check the length of the name before copying it to the destination buffer.
Created attachment 26371 [details] trigger This requires an external font, so this is the font.
Created attachment 26372 [details] exploit And this then exploits the overflow if the above font is in ./fonts. For x64 Linux. gs -q -sFONTPATH=$PWD/fonts -dNODISPLAY fontname.ps
CVE-2025-27833
Fixed: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=477e36cfa1f