CVE-2023-46751: Artifex Ghostscript Dangling Pointer Vulnerability in gdev_prn_open_printer_seekable() Function
A security vulnerability has been discovered in the popular Artifex Ghostscript software, which is used to render and manipulate PDF and PostScript files. This vulnerability, identified as CVE-2023-46751, exists in the gdev_prn_open_printer_seekable() function and can be exploited by remote attackers to crash the application by triggering a dangling pointer.
The affected version is Artifex Ghostscript through 10.02..
This blog post will provide details about the vulnerability, its impact, and exploitation, along with necessary code snippets and links to the original references.
Vulnerability Description
The vulnerability stems from a dangling pointer issue in the gdev_prn_open_printer_seekable() function, which is part of the Ghostscript graphics library. A dangling pointer is a pointer that doesn't point to a valid object, typically resulting from memory that has been freed but not properly cleaned up. When an attacker can control the data that a dangling pointer accesses, they can cause an application to crash or possibly execute arbitrary code.
In the case of CVE-2023-46751, an attacker can craft a malicious PDF or PostScript file that, when processed by Ghostscript, will cause the gdev_prn_open_printer_seekable() function to encounter a dangling pointer, ultimately leading to a crash or potential arbitrary code execution.
Here is a snippet of the vulnerable code in the gdev_prn_open_printer_seekable() function
`
int gdev_prn_open_printer_seekable(gx_device *pdev, bool binary_mode, bool seekable)
{
gx_device_printer *const ppdev = (gx_device_printer *)pdev;
int code = gdev_prn_open_printer_(pdev, binary_mode, seekable);
if (code < )
return code;
if (ppdev->file == NULL) {
ppdev->file = gp_open_scratch_file_imaged(pdev->memory, ppdev->dname, &ppdev->file_memory);
if (ppdev->file == NULL) {
gdev_prn_close_printer(pdev);
return_error(gs_error_VMerror);
}
}
return ;
}
Timeline
Published on: 12/06/2023 20:15:07 UTC
Last modified on: 12/16/2023 01:15:07 UTC