CVE-2024-29510 Ghostscript uniprint format string RCE

Ghostscript ≤10.03.0 uniprint (gdevupd) device passes attacker-controlled device parameter strings directly as the format-string argument to gs_snprintf/gp_fprintf inside upd_wrtrtl and other writer functions. PostScript can set the upd device parameters (strings[S_YMOVE], string_a[SA_WRITECOMP], etc.) via setpagedevice/setdevice, then trigger the page render. Attacker %s/%x/%n specifiers yield arbitrary read/write, defeating -dSAFER (sandbox bypass / RCE).