VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 3, 2024· Updated Mar 17, 2025

CVE-2024-29508

CVE-2024-29508

Description

In Artifex Ghostscript before 10.03.0, a heap-based pointer disclosure occurs via a crafted BaseFont name in pdf_base_font_alloc.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In Artifex Ghostscript before 10.03.0, a heap-based pointer disclosure occurs via a crafted BaseFont name in pdf_base_font_alloc.

Vulnerability

CVE-2024-29508 is a heap-based pointer disclosure vulnerability in Artifex Ghostscript prior to version 10.03.0. The issue resides in the pdf_base_font_alloc function, where a constructed BaseFont name can be used to leak heap pointers. This affects all versions before the fix was introduced in 10.03.0.

Exploitation

An attacker can exploit this by crafting a PostScript file that invokes the PDF interpreter with a specially crafted BaseFont name. The attacker does not require authentication but needs to deliver the malicious file to the target system, either via user interaction (e.g., opening a document) or through automated processing (e.g., a document conversion service). The heap pointer is observable in the exported BaseFont name.

Impact

Successful exploitation leads to disclosure of heap memory addresses, which can aid in bypassing security mechanisms such as ASLR. This information leakage may be a precursor to more severe attacks, though the disclosure itself does not grant code execution or direct data access.

Mitigation

The vulnerability is fixed in Ghostscript version 10.03.0, released approximately four months prior to the publication date. Users should upgrade to 10.03.0 or later. No workaround is documented [1] [2]. The fix has been incorporated into most Linux distributions' package repositories [1].

References
  1. security - Re: Ghostscript 10.03.1 (2024-05-02) fixed 5 CVEs including CVE-2024-33871 arbitrary code execution
  2. Making sure you're not a bot!

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

9

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The pdf_base_font_alloc function exposes a heap pointer in the constructed BaseFont name when the input name is empty."

Attack vector

An attacker can trigger this vulnerability by providing an empty name for the BaseFont when constructing a PDF. The constructed BaseFont name will then include a hexadecimal representation of a heap pointer. The attacker can then read this pointer value from the output file, assuming the output file is written to a temporary, writable, and readable location. This allows for information disclosure of heap memory addresses.

Affected code

The vulnerability resides in the `pdf_base_font_alloc` function within the `pdfwrite` device. The code snippet shows that if `pfname->size` is not greater than 0, a string is formatted using `gs_snprintf` which includes `PRI_INTPTR` and a pointer value `copied`. This results in the heap pointer being embedded in the BaseFont name.

What the fix does

The patch, fixed in version 10.03.0, modifies the pdf_base_font_alloc function. It ensures that when the input font name is empty, the generated font name does not include a direct hexadecimal representation of a pointer. Instead, it likely uses a more sanitized or non-sensitive default name, preventing the disclosure of heap pointer information.

Preconditions

  • inputThe attacker must be able to control the input to the `pdf_base_font_alloc` function, specifically by providing an empty name for the BaseFont.
  • inputThe attacker must be able to read the output file generated by Ghostscript to observe the leaked pointer.

Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.