The vulnerability occurs in the "rsearch" Postscript function, as implemented in: https://github.com/ArtifexSoftware/ghostpdl/blob/master/psi/zstring.c#L109 When conducting a reverse search for an empty string in an empty string as follows: ``` %!PS () dup rsearch ``` The length of the pre-match result is decremented from zero, resulting in a string reference of length 2**32-1. This may subsequently be used to read and write up to 4GB of memory.
The vulnerability affects ghostcript versions >= 9.50, and has been introduced by upstream commit 7ecbfda92b4c8dbf6f6c2bf8fc82020a29219eff
Acknowledgments: Name: Chris Liddell (Artifex) Upstream: Timothy Goddard (Insomnia Security)
Upstream fix : http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b
Created ghostscript tracking bugs for this issue: Affects: fedora-all [bug 1862005]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-15900