CVE-2020-15900 — rsearch post-string size off-by-one in Ghostscript 9.52

Memory corruption in Ghostscript 9.52's rsearch PostScript operator (CVE-2020-15900). The function search_impl() in psi/zstring.c, when called via rsearch (forward=false), computes the post-match string size with the wrong formula count + (size - 1) at line 151, instead of r_size(op1) - count - size. Result: the returned post-string slice carries an oversized rsize. When subsequent string operators (putinterval, copy, forall) use that slice, they read/write far beyond the original buffer — heap disclosure or corruption. Briefing's mention of "bitwise shifting" is a red herring; the bug is integer/size arithmetic on user-controlled lengths inside rsearch's match-cleanup block.