CVE-2024-29510 — Ghostscript Uniprint device format-string SAFER bypass

Ghostscript's Uniprint printer device (devices/gdevupd.c) accepts PostScript-settable string parameters (upYMoveCommand, upWriteComponentCommands, etc. — declared in upd_strings[]/upd_string_a[]) and stores them verbatim. In upd_wrtrtl() those same strings are passed as the format-string argument to gs_snprintf and gp_fprintf with only one integer argument supplied. An attacker who can ship PostScript to a server-side Ghostscript pipeline (very common via uploaded PS/EPS/PDF) selects -sDEVICE=uniprint and uses setpagedevice to inject %x/%s/%n into upYMoveCommand or upWriteComponentCommands; when the page rasterizes, the format specifiers are interpreted, giving arbitrary read and arbitrary write. This bypasses the -dSAFER sandbox because SAFER never restricted those string params.