Artifex Ghostscript before 9.53.0 has an out-of-bounds write and use-after-free in devices/vector/gdevtxtw.c (for txtwrite) because a single character code in a PDF document can map to more than one Unicode code point (e.g., for a ligature).
The vulnerability occurs in the file devices/vector/gdevtxtw.c, responsible for the txtwrite function. The problem appears when a single character code in a PDF document is mapped to more than one Unicode code point — a typical situation, for example, with ligatures. Improper memory management in this case leads to both out-of-bounds write (CWE-787) and use-after-free (CWE-416). An attacker can provide such a document for processing by vulnerable software, for example, as a file for conversion or printing.
An attacker can trigger arbitrary code execution (RCE) in the context of the document processing application or cause application crash. In the worst case scenario, it is possible to take control of the system without authentication.
Artifex Ghostscript should be updated to version 9.53.0 or later. A patch is available in the official project repository and as part of the gs9530 release on the vendor's website.
Artifex Ghostscript in all versions before 9.53.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HArtifex Ghostscript
APPArtifex9.519.529.52.19.53.0
Related vulnerabilities
Path Traversal w Artifex Ghostscript przez nieprawidłowe znaki UTF-8
Buffer overflow w urządzeniu BJ10V w Artifex Ghostscript
Buffer overflow w Artifex Ghostscript — urządzenie DOCXWRITE/TXTWRITE
Buffer overflow w urządzeniu NPDL Artifex Ghostscript (kompresja)
In Artifex Ghostscript through 10.01.0, there is a buffer overflow leading to potential corruption of data int...