Artifex Ghostscript Buffer Overflow Vulnerability in Type 4 Functions

A buffer overflow vulnerability has been identified in Artifex Ghostscript versions prior to 10.05.0. The issue arises in the PDF processing component, specifically within the 'pdf_func.c' file. The vulnerability is triggered by an oversized Type 4 function in a PDF document, which causes the allocated buffer to be smaller than necessary, leading to a potential buffer overflow.

Impact

Exploitation of this vulnerability causes a buffer overflow, which can lead to arbitrary code execution.

Reproduction

The vulnerability can be reproduced by creating a PDF document with a large Type 4 function definition. This oversized function will overflow the uint counter, causing a buffer allocation that is insufficient for the data being processed. Once the malicious PDF is crafted, it can be processed by Ghostscript using the 'gs' command with the '-q -dNODISPLAY' options, which suppress output and disable display, respectively. This exploitation requires approximately 6GB of memory.

Remediation

Users can upgrade to Ghostscript version 10.05.0 or later, where this vulnerability has been fixed.