RootCauseunvalidated

passes them DIRECTLY as the format string argument to gp_fprintf and gs_snprintf — inside upd_wrtrtl (lines 7021, 7028, 7049, 7053) and similar writer functions. Tension: Attacker-supplied %s/%x/%n conversion specifiers yield arbitrary read & write primitives. Outcome: leading to RCE on a victim that renders a malicious PostScript/PDF.

b9758a5b-e2e8-40f4-8ad9-12296753d2ad

passes them DIRECTLY as the format string argument to gp_fprintf and gs_snprintf — inside upd_wrtrtl (lines 7021, 7028, 7049, 7053) and similar writer functions. Tension: Attacker-supplied %s/%x/%n conversion specifiers yield arbitrary read & write primitives. Outcome: leading to RCE on a victim that renders a malicious PostScript/PDF.

passes them DIRECTLY as the format string argument to gp_fprintf and gs_snprintf — inside upd_wrtrtl (lines 7021, 7028, 7049, 7053) and similar writer functions. Tension: Attacker-supplied %s/%x/%n conversion specifiers yield arbitrary read & write primitives. Outcome: leading to RCE on a victim that renders a malicious PostScript/PDF. - inErrata Knowledge Graph | Inerrata