!147 sync patch from openEuler-24.03-LTS

From: @li_ning_jie 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen

Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch

@@ -1,8 +1,9 @@
 From 7745dbe24514710b0cfba925e608e607dee9eb0f Mon Sep 17 00:00:00 2001
 From: Chris Liddell <chris.liddell@artifex.com>
 Date: Wed, 24 Jan 2024 18:25:12 +0000
-Subject: [PATCH 3/6] Bug 707510(3): Bounds checks when using CIDFont related 
+Subject: [PATCH 3/7] Bug 707510(3): Bounds checks when using CIDFont related 
  params
+https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=7745dbe24514
 
 Specifically, for CIDFont substitution.
 ---

Bug-707510-5-2-The-original-fix-was-overly-aggressive.patch

@@ -0,0 +1,215 @@
+From 638159c43dbb48425a187d244ec288d252d0ecf4 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Wed, 31 Jan 2024 14:08:18 +0000
+Subject: [PATCH 6/7] Bug 707510(5)2: The original fix was overly aggressive
+https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=638159c43dbb48425a187d244ec288d252d0ecf4
+
+The way the default OCRLanguage value was set was for the relevant get_params
+methods to check if the value had been set, and if not return a default value.
+This could result in the first time the put_params seeing that value being after
+path control has been enabled, meaning it would throw an invalidaccess error.
+
+This changes how we set the default: they now uses an init_device method, so
+the string is populated from the device's creation. This works correctly for
+both the default value, and for values set on the command line.
+---
+ devices/gdevocr.c         | 17 ++++++++++++++++-
+ devices/gdevpdfocr.c      | 28 ++++++++++++++++++++++------
+ devices/vector/gdevpdf.c  | 15 +++++++++++++++
+ devices/vector/gdevpdfp.c |  3 ++-
+ 4 files changed, 55 insertions(+), 8 deletions(-)
+
+diff --git a/devices/gdevocr.c b/devices/gdevocr.c
+index 7f2c6ea3b..b874525de 100644
+--- a/devices/gdevocr.c
++++ b/devices/gdevocr.c
+@@ -30,6 +30,7 @@
+ #define X_DPI 72
+ #define Y_DPI 72
+ 
++static dev_proc_initialize_device(ocr_initialize_device);
+ static dev_proc_print_page(ocr_print_page);
+ static dev_proc_print_page(hocr_print_page);
+ static dev_proc_get_params(ocr_get_params);
+@@ -55,6 +56,7 @@ ocr_initialize_device_procs(gx_device *dev)
+ {
+     gdev_prn_initialize_device_procs_gray_bg(dev);
+ 
++    set_dev_proc(dev, initialize_device, ocr_initialize_device);
+     set_dev_proc(dev, open_device, ocr_open);
+     set_dev_proc(dev, close_device, ocr_close);
+     set_dev_proc(dev, get_params, ocr_get_params);
+@@ -79,6 +81,7 @@ hocr_initialize_device_procs(gx_device *dev)
+ {
+     gdev_prn_initialize_device_procs_gray_bg(dev);
+ 
++    set_dev_proc(dev, initialize_device, ocr_initialize_device);
+     set_dev_proc(dev, open_device, ocr_open);
+     set_dev_proc(dev, close_device, hocr_close);
+     set_dev_proc(dev, get_params, ocr_get_params);
+@@ -102,6 +105,17 @@ const gx_device_ocr gs_hocr_device =
+ #define HOCR_HEADER "<html>\n <body>\n"
+ #define HOCR_TRAILER " </body>\n</html>\n"
+ 
++static int
++ocr_initialize_device(gx_device *dev)
++{
++    gx_device_ocr *odev = (gx_device_ocr *)dev;
++    const char *default_ocr_lang = "eng";
++
++    odev->language[0] = '\0';
++    strcpy(odev->language, default_ocr_lang);
++    return 0;
++}
++
+ static int
+ ocr_open(gx_device *pdev)
+ {
+@@ -185,7 +199,8 @@ ocr_put_params(gx_device *dev, gs_param_list *plist)
+ 
+     switch (code = param_read_string(plist, (param_name = "OCRLanguage"), &langstr)) {
+         case 0:
+-            if (pdev->memory->gs_lib_ctx->core->path_control_active) {
++                if (pdev->memory->gs_lib_ctx->core->path_control_active
++                && (strlen(pdev->language) != langstr.size || memcmp(pdev->language, langstr.data, langstr.size) != 0)) {
+                 return_error(gs_error_invalidaccess);
+             }
+             else {
+diff --git a/devices/gdevpdfocr.c b/devices/gdevpdfocr.c
+index 0d3c42d8b..f2bec1b49 100644
+--- a/devices/gdevpdfocr.c
++++ b/devices/gdevpdfocr.c
+@@ -33,9 +33,9 @@
+ #include "gdevpdfimg.h"
+ #include "tessocr.h"
+ 
+-int pdf_ocr_open(gx_device *pdev);
+-int pdf_ocr_close(gx_device *pdev);
+-
++static dev_proc_initialize_device(pdf_ocr_initialize_device);
++static dev_proc_open_device(pdf_ocr_open);
++static dev_proc_close_device(pdf_ocr_close);
+ 
+ static int
+ pdfocr_put_some_params(gx_device * dev, gs_param_list * plist)
+@@ -50,7 +50,8 @@ pdfocr_put_some_params(gx_device * dev, gs_param_list * plist)
+ 
+     switch (code = param_read_string(plist, (param_name = "OCRLanguage"), &langstr)) {
+         case 0:
+-            if (pdf_dev->memory->gs_lib_ctx->core->path_control_active) {
++                if (pdf_dev->memory->gs_lib_ctx->core->path_control_active
++                && (strlen(pdf_dev->ocr.language) != langstr.size || memcmp(pdf_dev->ocr.language, langstr.data, langstr.size) != 0)) {
+                 return_error(gs_error_invalidaccess);
+             }
+             else {
+@@ -152,6 +153,8 @@ pdfocr8_initialize_device_procs(gx_device *dev)
+ {
+     gdev_prn_initialize_device_procs_gray(dev);
+ 
++    set_dev_proc(dev, initialize_device, pdf_ocr_initialize_device);
++    set_dev_proc(dev, initialize_device, pdf_ocr_initialize_device);
+     set_dev_proc(dev, open_device, pdf_ocr_open);
+     set_dev_proc(dev, output_page, gdev_prn_output_page_seekable);
+     set_dev_proc(dev, close_device, pdf_ocr_close);
+@@ -185,6 +188,7 @@ pdfocr24_initialize_device_procs(gx_device *dev)
+ {
+     gdev_prn_initialize_device_procs_rgb(dev);
+ 
++    set_dev_proc(dev, initialize_device, pdf_ocr_initialize_device);
+     set_dev_proc(dev, open_device, pdf_ocr_open);
+     set_dev_proc(dev, output_page, gdev_prn_output_page_seekable);
+     set_dev_proc(dev, close_device, pdf_ocr_close);
+@@ -216,6 +220,7 @@ pdfocr32_initialize_device_procs(gx_device *dev)
+ {
+     gdev_prn_initialize_device_procs_cmyk8(dev);
+ 
++    set_dev_proc(dev, initialize_device, pdf_ocr_initialize_device);
+     set_dev_proc(dev, open_device, pdf_ocr_open);
+     set_dev_proc(dev, output_page, gdev_prn_output_page_seekable);
+     set_dev_proc(dev, close_device, pdf_ocr_close);
+@@ -703,7 +708,18 @@ ocr_end_page(gx_device_pdf_image *dev)
+     return 0;
+ }
+ 
+-int
++static int
++pdf_ocr_initialize_device(gx_device *dev)
++{
++    gx_device_pdf_image *ppdev = (gx_device_pdf_image *)dev;
++    const char *default_ocr_lang = "eng";
++
++    ppdev->ocr.language[0] = '\0';
++    strcpy(ppdev->ocr.language, default_ocr_lang);
++    return 0;
++}
++
++static int
+ pdf_ocr_open(gx_device *pdev)
+ {
+     gx_device_pdf_image *ppdev;
+@@ -726,7 +742,7 @@ pdf_ocr_open(gx_device *pdev)
+     return 0;
+ }
+ 
+-int
++static int
+ pdf_ocr_close(gx_device *pdev)
+ {
+     gx_device_pdf_image *pdf_dev;
+diff --git a/devices/vector/gdevpdf.c b/devices/vector/gdevpdf.c
+index 6e364d1c7..042e1b4e9 100644
+--- a/devices/vector/gdevpdf.c
++++ b/devices/vector/gdevpdf.c
+@@ -215,6 +215,7 @@ device_pdfwrite_finalize(const gs_memory_t *cmem, void *vpdev)
+ }
+ 
+ /* Driver procedures */
++static dev_proc_initialize_device(pdfwrite_initialize_device);
+ static dev_proc_open_device(pdf_open);
+ static dev_proc_output_page(pdf_output_page);
+ static dev_proc_close_device(pdf_close);
+@@ -232,6 +233,7 @@ static dev_proc_close_device(pdf_close);
+ static void
+ pdfwrite_initialize_device_procs(gx_device *dev)
+ {
++    set_dev_proc(dev, initialize_device, pdfwrite_initialize_device);
+     set_dev_proc(dev, open_device, pdf_open);
+     set_dev_proc(dev, get_initial_matrix, gx_upright_get_initial_matrix);
+     set_dev_proc(dev, output_page, pdf_output_page);
+@@ -777,6 +779,19 @@ pdf_reset_text(gx_device_pdf * pdev)
+     pdf_reset_text_state(pdev->text);
+ }
+ 
++static int
++pdfwrite_initialize_device(gx_device *dev)
++{
++#if OCR_VERSION > 0
++    gx_device_pdf *pdev = (gx_device_pdf *) dev;
++    const char *default_ocr_lang = "eng";
++    pdev->ocr_language[0] = '\0';
++    strcpy(pdev->ocr_language, default_ocr_lang);
++#endif
++    return 0;
++}
++
++
+ /* Open the device. */
+ static int
+ pdf_open(gx_device * dev)
+diff --git a/devices/vector/gdevpdfp.c b/devices/vector/gdevpdfp.c
+index 1f7106c0b..1fdfeaef3 100644
+--- a/devices/vector/gdevpdfp.c
++++ b/devices/vector/gdevpdfp.c
+@@ -472,7 +472,8 @@ gdev_pdf_put_params_impl(gx_device * dev, const gx_device_pdf * save_dev, gs_par
+         gs_param_string langstr;
+         switch (code = param_read_string(plist, (param_name = "OCRLanguage"), &langstr)) {
+             case 0:
+-                if (pdev->memory->gs_lib_ctx->core->path_control_active) {
++                if (pdev->memory->gs_lib_ctx->core->path_control_active
++                && (strlen(pdev->ocr_language) != langstr.size || memcmp(pdev->ocr_language, langstr.data, langstr.size) != 0)) {
+                     return_error(gs_error_invalidaccess);
+                 }
+                 else {
+-- 
+2.34.1
+

Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch

@@ -1,8 +1,9 @@
 From 3d4cfdc1a44b1969a0f14c86673a372654d443c4 Mon Sep 17 00:00:00 2001
 From: Chris Liddell <chris.liddell@artifex.com>
 Date: Wed, 24 Jan 2024 17:06:01 +0000
-Subject: [PATCH 5/6] Bug 707510(5): Reject OCRLanguage changes after SAFER
+Subject: [PATCH 5/7] Bug 707510(5): Reject OCRLanguage changes after SAFER
  enabled
+https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=3d4cfdc1a44
 
 In the devices that support OCR, OCRLanguage really ought never to be set from
 PostScript, so reject attempts to change it if path_control_active is true.

Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch

@@ -1,8 +1,9 @@
 From 77dc7f699beba606937b7ea23b50cf5974fa64b1 Mon Sep 17 00:00:00 2001
 From: Ken Sharp <Ken.Sharp@artifex.com>
 Date: Thu, 25 Jan 2024 11:55:49 +0000
-Subject: [PATCH 2/6] Bug 707510 - don't allow PDF files with bad Filters to 
+Subject: [PATCH 2/7] Bug 707510 - don't allow PDF files with bad Filters to 
  overflow the debug buffer
+http://www.ghostscript.com/cgi-bin/findgit.cgi?77dc7f699beba606937b7ea23b50cf5974fa64b1
 
 Item #2 of the report.
 

Bug-707510-don-t-use-strlen-on-passwords.patch

@@ -1,7 +1,8 @@
 From 917b3a71fb20748965254631199ad98210d6c2fb Mon Sep 17 00:00:00 2001
 From: Ken Sharp <Ken.Sharp@artifex.com>
 Date: Thu, 25 Jan 2024 11:58:22 +0000
-Subject: [PATCH 1/6] Bug 707510 - don't use strlen on passwords
+Subject: [PATCH 1/7] Bug 707510 - don't use strlen on passwords
+http://www.ghostscript.com/cgi-bin/findgit.cgi?917b3a71fb20748965254631199ad98210d6c2fb
 
 Item #1 of the report. This looks like an oversight when first coding
 the routine. We should use the PostScript string length, because

Bug-707510-fix-LIBIDN-usage.patch

@@ -1,7 +1,8 @@
 From d99396635f3d6ac6a1168e1af21a669e5c8f695f Mon Sep 17 00:00:00 2001
 From: Ken Sharp <Ken.Sharp@artifex.com>
 Date: Thu, 25 Jan 2024 12:16:56 +0000
-Subject: [PATCH 6/6] Bug 707510 - fix LIBIDN usage
+Subject: [PATCH 7/7] Bug 707510 - fix LIBIDN usage
+http://www.ghostscript.com/cgi-bin/findgit.cgi?d99396635f3d6ac6a1168e1af21a669e5c8f695f
 
 This wasn't a reported fault, but it bears fixing anyway.
 

Bug-707510-review-printing-of-pointers.patch

@@ -1,7 +1,8 @@
 From ff1013a0ab485b66783b70145e342a82c670906a Mon Sep 17 00:00:00 2001
 From: Ken Sharp <Ken.Sharp@artifex.com>
 Date: Thu, 25 Jan 2024 11:53:44 +0000
-Subject: [PATCH 4/6] Bug 707510 - review printing of pointers
+Subject: [PATCH 4/7] Bug 707510 - review printing of pointers
+http://www.ghostscript.com/cgi-bin/findgit.cgi?ff1013a0ab485b66783b70145e342a82c670906a
 
 This is for item 4 of the report, which is addressed by the change in
 gdevpdtb.c. That change uses a fixed name for fonts which have no name

backport-CVE-2024-46951.patch

@@ -0,0 +1,31 @@
+From ada21374f0c90cc3acf7ce0e96302394560c7aee Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Fri, 30 Aug 2024 13:16:39 +0100
+Subject: [PATCH] PS interpreter - check the type of the Pattern Implementation
+
+Bug #707991
+
+See bug report for details.
+
+CVE-2024-46951
+---
+ psi/zcolor.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/psi/zcolor.c b/psi/zcolor.c
+index d4e7a4438..d3384d75d 100644
+--- a/psi/zcolor.c
++++ b/psi/zcolor.c
+@@ -5276,6 +5276,9 @@ static int patterncomponent(i_ctx_t * i_ctx_p, ref *space, int *n)
+             code = array_get(imemory, pImpl, 0, &pPatInst);
+             if (code < 0)
+                 return code;
++
++            if (!r_is_struct(&pPatInst) || (!r_has_stype(&pPatInst, imemory, st_pattern1_instance) && !r_has_stype(&pPatInst, imemory, st_pattern2_instance)))
++                return_error(gs_error_typecheck);
+             cc.pattern = r_ptr(&pPatInst, gs_pattern_instance_t);
+             if (pattern_instance_uses_base_space(cc.pattern))
+                 *n = n_comps;
+-- 
+2.34.1
+

backport-CVE-2024-46952.patch

@@ -0,0 +1,61 @@
+From 1fb76aaddac34530242dfbb9579d9997dae41264 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Mon, 2 Sep 2024 15:14:01 +0100
+Subject: [PATCH] PDF interpreter - sanitise W array values in Xref streams
+
+Bug #708001 "Buffer overflow in PDF XRef stream"
+
+See bug report. I've chosen to fix this by checking the values in the
+W array; these can (currently at least) only have certain relatively
+small values.
+
+As a future proofing fix I've also updated field_size in
+pdf_xref_stream_entries() to be a 64-bit integer. This is far bigger
+than required, but matches the W array values and so prevents the
+mismatch which could lead to a buffer overrun.
+
+CVE-2024-46952
+---
+ pdf/pdf_xref.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/pdf/pdf_xref.c b/pdf/pdf_xref.c
+index 7e61113..ad45852 100644
+--- a/pdf/pdf_xref.c
++++ b/pdf/pdf_xref.c
+@@ -53,7 +53,7 @@ static int resize_xref(pdf_context *ctx, uint64_t new_size)
+ static int read_xref_stream_entries(pdf_context *ctx, pdf_c_stream *s, uint64_t first, uint64_t last, uint64_t *W)
+ {
+     uint i, j;
+-    uint field_width = 0;
++    uint64_t field_width = 0;
+     uint32_t type = 0;
+     uint64_t objnum = 0, gen = 0;
+     byte *Buffer;
+@@ -297,6 +297,24 @@ static int pdfi_process_xref_stream(pdf_context *ctx, pdf_stream *stream_obj, pd
+     }
+     pdfi_countdown(a);
+ 
++    /* W[0] is either:
++     * 0 (no type field) or a single byte with the type.
++     * W[1] is either:
++     * The object number of the next free object, the byte offset of this object in the file or the object5 number of the object stream where this object is stored.
++     * W[2] is either:
++     * The generation number to use if this object is used again, the generation number of the object or the index of this object within the object stream.
++     *
++     * Object and generation numbers are limited to unsigned 64-bit values, as are bytes offsets in the file, indexes of objects within the stream likewise (actually
++     * most of these are generally 32-bit max). So we can limit the field widths to 8 bytes, enough to hold a 64-bit number.
++     * Even if a later version of the spec makes these larger (which seems unlikely!) we still cna't cope with integers > 64-bits.
++     */
++    if (W[0] > 1 || W[1] > 8 || W[2] > 8) {
++        pdfi_close_file(ctx, XRefStrm);
++        pdfi_countdown(ctx->xref_table);
++        ctx->xref_table = NULL;
++        return code;
++    }
++
+     code = pdfi_dict_get_type(ctx, sdict, "Index", PDF_ARRAY, (pdf_obj **)&a);
+     if (code == gs_error_undefined) {
+         code = read_xref_stream_entries(ctx, XRefStrm, 0, size - 1, (uint64_t *)W);
+-- 
+2.43.0

backport-CVE-2024-46953.patch

@@ -0,0 +1,66 @@
+From 294a3755e33f453dd92e2a7c4cfceb087ac09d6a Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Mon, 27 May 2024 13:38:36 +0100
+Subject: [PATCH] Bug 707793: Check for overflow validating format string
+
+for the output file name
+
+CVE-2024-46953
+---
+ base/gsdevice.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/base/gsdevice.c b/base/gsdevice.c
+index 90e699ab4..c1eaedd85 100644
+--- a/base/gsdevice.c
++++ b/base/gsdevice.c
+@@ -1070,7 +1070,7 @@ static int
+ gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt)
+ {
+     bool have_format = false, field;
+-    int width[2], int_width = sizeof(int) * 3, w = 0;
++    uint width[2], int_width = sizeof(int) * 3, w = 0;
+     uint i;
+ 
+     /* Scan the file name for a format string, and validate it if present. */
+@@ -1099,6 +1099,8 @@ gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt)
+                         default: /* width (field = 0) and precision (field = 1) */
+                             if (strchr("0123456789", pfn->fname[i])) {
+                                 width[field] = width[field] * 10 + pfn->fname[i] - '0';
++                                if (width[field] > max_int)
++	                                return_error(gs_error_undefinedfilename);
+                                 continue;
+                             } else if (0 == field && '.' == pfn->fname[i]) {
+                                 field++;
+@@ -1127,8 +1129,10 @@ gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt)
+         /* Calculate a conservative maximum width. */
+         w = max(width[0], width[1]);
+         w = max(w, int_width) + 5;
++        if (w > max_int)
++            return_error(gs_error_undefinedfilename);
+     }
+-    return w;
++    return (int)w;
+ }
+ 
+ /*
+@@ -1181,10 +1185,15 @@ gx_parse_output_file_name(gs_parsed_file_name_t *pfn, const char **pfmt,
+     if (!pfn->fname)
+         return 0;
+     code = gx_parse_output_format(pfn, pfmt);
+-    if (code < 0)
++    if (code < 0) {
+         return code;
+-    if (strlen(pfn->iodev->dname) + pfn->len + code >= gp_file_name_sizeof)
++    }
++
++    if (pfn->len >= gp_file_name_sizeof - strlen(pfn->iodev->dname) ||
++        code >= gp_file_name_sizeof - strlen(pfn->iodev->dname) - pfn->len) {
+         return_error(gs_error_undefinedfilename);
++    }
++
+     return 0;
+ }
+ 
+-- 
+2.34.1

backport-CVE-2024-46955.patch

@@ -0,0 +1,60 @@
+From ca1fc2aefe9796e321d0589afe7efb35063c8b2a Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Fri, 30 Aug 2024 13:11:53 +0100
+Subject: [PATCH] PS interpreter - check Indexed colour space index
+
+Bug #707990 "Out of bounds read when reading color in "Indexed" color space"
+
+Check the 'index' is in the valid range (0 to hival) for the colour
+space.
+
+Also a couple of additional checks on the type of the 'proc' for
+Indexed, DeviceN and Separation spaces. Make sure these really are
+procs in case the user changed the colour space array.
+
+CVE-2024-46955
+---
+ psi/zcolor.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/psi/zcolor.c b/psi/zcolor.c
+index c0d73c2..7d15ec7 100644
+--- a/psi/zcolor.c
++++ b/psi/zcolor.c
+@@ -3629,6 +3629,7 @@ static int septransform(i_ctx_t *i_ctx_p, ref *sepspace, int *usealternate, int
+         code = array_get(imemory, sepspace, 3, &proc);
+         if (code < 0)
+             return code;
++        check_proc(proc);
+         *esp = proc;
+         return o_push_estack;
+     }
+@@ -4450,6 +4451,7 @@ static int devicentransform(i_ctx_t *i_ctx_p, ref *devicenspace, int *usealterna
+         code = array_get(imemory, devicenspace, 3, &proc);
+         if (code < 0)
+             return code;
++        check_proc(proc);
+         *esp = proc;
+         return o_push_estack;
+     }
+@@ -4865,6 +4867,7 @@ static int indexedbasecolor(i_ctx_t * i_ctx_p, ref *space, int base, int *stage,
+             code = array_get(imemory, space, 3, &proc);
+             if (code < 0)
+                 return code;
++            check_proc(proc);
+             *ep = proc;	/* lookup proc */
+             return o_push_estack;
+         } else {
+@@ -4878,6 +4881,9 @@ static int indexedbasecolor(i_ctx_t * i_ctx_p, ref *space, int base, int *stage,
+             if (!r_has_type(op, t_integer))
+                 return_error (gs_error_typecheck);
+             index = op->value.intval;
++            /* Ensure it is in range. See bug #707990 */
++            if (index < 0 || index > pcs->params.indexed.hival)
++                return_error(gs_error_rangecheck);
+             /* And remove it from the stack. */
+             ref_stack_pop(&o_stack, 1);
+             op = osp;
+-- 
+2.27.0
+

backport-CVE-2024-46956.patch

@@ -0,0 +1,30 @@
+From ea69a1388245ad959d31c272b5ba66d40cebba2c Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Tue, 23 Jul 2024 11:48:39 +0100
+Subject: [PATCH] PostScript interpreter - fix buffer length check
+
+Bug 707895
+
+See bug report for details.
+
+CVE-2024-46956
+---
+ psi/zfile.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/psi/zfile.c b/psi/zfile.c
+index fe3f7e9..027f412 100644
+--- a/psi/zfile.c
++++ b/psi/zfile.c
+@@ -440,7 +440,7 @@ file_continue(i_ctx_t *i_ctx_p)
+         if (code == ~(uint) 0) {    /* all done */
+             esp -= 5;               /* pop proc, pfen, devlen, iodev , mark */
+             return o_pop_estack;
+-        } else if (code > len) {      /* overran string */
++        } else if (code > len - devlen) {      /* overran string */
+             return_error(gs_error_rangecheck);
+         }
+         else if (iodev != iodev_default(imemory)
+-- 
+2.27.0
+

ghostscript.spec

@@ -9,7 +9,7 @@
 
 Name:             ghostscript
 Version:          9.56.1
-Release:          7
+Release:          13
 Summary:          An interpreter for PostScript and PDF files
 License:          AGPLv3+
 URL:              https://ghostscript.com/
@@ -47,16 +47,28 @@ Patch108:  fix-CVE-2024-33870.patch
 Patch109:  fix-CVE-2024-33871.patch
 # https://bugs.ghostscript.com/show_bug.cgi?id=707510
 # CVE-2024-29506 CVE-2024-29507 CVE-2024-29508 CVE-2024-29509 CVE-2024-29511
+# CVE-2024-29509
 Patch110:  Bug-707510-don-t-use-strlen-on-passwords.patch
+# CVE-2024-29506
 Patch111:  Bug-707510-don-t-allow-PDF-files-with-bad-Filters-to.patch
+# CVE-2024-29507
 Patch112:  Bug-707510-3-Bounds-checks-when-using-CIDFont-relate.patch
+# CVE-2024-29508
 Patch113:  Bug-707510-review-printing-of-pointers.patch
+# CVE-2024-29511
 Patch114:  Bug-707510-5-Reject-OCRLanguage-changes-after-SAFER-.patch
-Patch115:  Bug-707510-fix-LIBIDN-usage.patch
+Patch115:  Bug-707510-5-2-The-original-fix-was-overly-aggressive.patch
+
+Patch116:  Bug-707510-fix-LIBIDN-usage.patch
 
 # See bug thread for details
 #This is the second part of the fix for CVE-2024-33869
-Patch116:  fix-CVE-2024-33869-second.patch
+Patch117:  fix-CVE-2024-33869-second.patch
+Patch118:   backport-CVE-2024-46953.patch
+Patch119:   backport-CVE-2024-46956.patch
+Patch120:   backport-CVE-2024-46951.patch
+Patch121:   backport-CVE-2024-46952.patch
+Patch122:   backport-CVE-2024-46955.patch
 
 BuildRequires:    automake gcc
 BuildRequires:    adobe-mappings-cmap-devel adobe-mappings-pdf-devel
@@ -141,7 +153,12 @@ PDF files using Ghostscript and dvips
 %patch114 -p1
 %patch115 -p1
 %patch116 -p1
-
+%patch117 -p1
+%patch118 -p1
+%patch119 -p1
+%patch120 -p1
+%patch121 -p1
+%patch122 -p1
 
 # Libraries that we already have packaged(see Build Requirements):
 rm -rf cups/libs freetype ijs jbig2dec jpeg lcms2* libpng openjpeg tiff zlib
@@ -235,6 +252,42 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
 %{_bindir}/dvipdf
 
 %changelog
+* Fri Nov 08 2024 liningjie <liningjie@xfusion.com> - 9.56.1-13
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DECS: Fix CVE-2024-46955
+
+* Tue Nov 05 2024 liningjie <liningjie@xfusion.com> - 9.56.1-12
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DECS: Fix CVE-2024-46952
+
+* Fri Nov 01 2024 liningjie <liningjie@xfusion.com> - 9.56.1-11
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DECS: Fix CVE-2024-46951
+
+* Fri Oct 25 2024 liningjie <liningjie@xfusion.com> - 9.56.1-10
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DECS: Fix CVE-2024-46956
+
+* Fri Oct 25 2024 liningjie <liningjie@xfusion.com> - 9.56.1-9
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DECS: Fix CVE-2024-46953
+
+* Fri Jul 12 2024 zhangxianting <zhangxianting@uniontech.com> - 9.56.1-8
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DECS: This is the second part of the fix for CVE-2024-29511
+
 * Fri Jul 12 2024 zhangxingrong-<zhangxingrong@uniontech.cn> - 9.56.1-7
 - Type:CVE
 - ID:NA