ghostscript before version 9.21 is vulnerable to a heap based buffer overflow that was found in the ghostscript jbig2_decode_gray_scale_image function which is used to decode halftone segments in a JBIG2 image. A document (PostScript or PDF) with an embedded, specially crafted, jbig2 image could trigger a segmentation fault in ghostscript.
The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
| Link | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9601 | issue tracking third party advisory |
| http://www.securityfocus.com/bid/97095 | vdb entry third party advisory |
| http://git.ghostscript.com/?p=jbig2dec.git%3Ba=commit%3Bh=e698d5c11d27212aa1098bc5b1673a3378563092 | |
| https://security.gentoo.org/glsa/201706-24 | third party advisory vendor advisory |
| https://www.debian.org/security/2017/dsa-3817 | third party advisory vendor advisory |
| https://bugs.ghostscript.com/show_bug.cgi?id=697457 | issue tracking third party advisory |