Bug 708259 - [RCE] Buffer overflow with long TTF font name
Summary: [RCE] Buffer overflow with long TTF font name
Status: RESOLVED FIXED
Alias: None
Product: Ghostscript
Classification: Unclassified
Component: Security (public) (show other bugs)
Version: unspecified
Hardware: PC Linux
: P2 normal
Assignee: Chris Liddell (chrisl)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-01-20 03:54 UTC by zhutyra
Modified: 2025-03-20 11:45 UTC (History)
9 users (show)

See Also:
Customer:
Word Size: ---

Attachments
patch (620 bytes, patch)
2025-01-20 03:54 UTC, zhutyra 		Details | Diff
trigger (5.07 KB, application/octet-stream)
2025-01-20 03:58 UTC, zhutyra 		Details
exploit (22.59 KB, application/postscript)
2025-01-20 03:59 UTC, zhutyra 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description zhutyra 2025-01-20 03:54:36 UTC 
Created attachment 26370 [details]
patch

The function "pdfi_ttf_add_to_native_map" does not check the length of the name before copying it to the destination buffer.
Comment 1 zhutyra 2025-01-20 03:58:23 UTC 
Created attachment 26371 [details]
trigger

This requires an external font, so this is the font.
Comment 2 zhutyra 2025-01-20 03:59:18 UTC 
Created attachment 26372 [details]
exploit

And this then exploits the overflow if the above font is in ./fonts. For x64 Linux.

gs -q -sFONTPATH=$PWD/fonts -dNODISPLAY fontname.ps
Comment 3 Chris Liddell (chrisl) 2025-03-10 09:55:38 UTC 
CVE-2025-27833