A heap based buffer overflow was found in the ghostscript jbig2_decode_gray_scale_image() function used to decode halftone segments in a JBIG2 image. A document (PostScript or PDF) with an embedded, specially crafted, jbig2 image could trigger a segmentation fault in ghostscript.
A heap-buffer overflow caused by integer overflow was found in ghostscript's jbig2dec-0.13 (a decoder implementation of the JBIG2 image compression format). The vulnerability is caused by an Addition-1 integer overflow. The overflowed value is passed to function ‘malloc’ as the SIZE parameter and a buffer with zero size is allocated. Later, out-of-bound read/write can happen when accessing the buffer. Whether it’s an out-of-bound read vulnerability or out-of-bound write can be controlled by crafting the input .jb2 file. The vulnerability can cause Denial-of-Service or possibly corrupt some memory data.
Name: Bingchang Liu (IIE)
Created ghostscript tracking bugs for this issue:
Affects: fedora-all [bug 1410022]
RHEL-6 and older are not affected : the vulnerability affects the jbig2 halftone image support, which was added in ghostscript-9.05 (RHEL-6 is based on ghostscript-8.70)