This vulnerability was analyzed during Episode 206 on 25 April 2023
A pretty classic string escaping bug in GhostScript, one common and buggy edge case when escaping characters in a buffer is to not properly account for escapes that happen at the very limit of the destination buffer. As was the case here, despite checking that the limit of the buffer was not reached on every iteration, when a character was found that should be escaped, it would write to the destination buffer write, first with the escape character (0x01
) and then again with an XOR’d version of the character to be escaped. If this character was the last character before the end
pointer marking the end of the buffer then it would end up writting one byte too far. So by the time the loop condition runs again, it will have written once out of bounds.
This out of bounds write, and related movement of the write ptr
beyond the end
pointer means later calculations of remaining buffer space are completely incorrect (turn into a negative number/very large position number). Allowing for future filters to overwrite adjacent memory.