A flaw was found in Ghostscript. The uniprint
device allows the user to provide various string fragments as device options, which are later appended to the output file. Two parameters, upWriteComponentCommands
and upYMoveCommand,
are treated as format strings, specifically for gp_fprintf
and gs_snprintf.
This was designed for the user to include just one format specifier in the string, but there is no logic preventing arbitrary format strings with multiple specifiers from being used. In certain circumstances, an attacker may be able to exploit this to leak data from the stack and perform memory corruption.