Some time ago Tavis Ormandy found a bunch of bugs in Ghostscript's sandbox, which would allow arbitrary code execution:

http://www.openwall.com/lists/oss-security/2016/10/05/7

Hopefully these bugs are all fixed now, but I wouldn't be surprised if there was more to be found.