Artifex Ghostscript Buffer Overflow Vulnerability in TTF Font Name Handling

A buffer overflow vulnerability has been identified in Artifex Ghostscript versions prior to 10.05.0. The issue arises in the PDF font mapping component, specifically within the 'pdfi_ttf_add_to_native_map' function, which fails to validate the length of TrueType font names before copying them to a destination buffer. This oversight can be exploited by providing a long font name, leading to potential memory corruption.

Impact

Exploitation of this vulnerability causes a buffer overflow, which can commonly lead to arbitrary code execution or memory corruption.

Reproduction

The vulnerability can be reproduced by placing a long TrueType font name into a PostScript file and then using Ghostscript to process the file. The 'fontname.ps' attachment in Bug 708259 serves as an example of such a file. Ghostscript should be run with the ' -sFONTPATH' option pointing to the directory containing the font, and the ' -dNODISPLAY' option to suppress output.

Remediation

Users can upgrade to Ghostscript version 10.05.0 or later, where this vulnerability has been fixed.