diff --git a/ghostscript-9.54.0-Fix-op-stack-management-in-sampled_data_c.patch b/ghostscript-9.54.0-Fix-op-stack-management-in-sampled_data_c.patch
new file mode 100644
index 0000000..27ca0b2
--- /dev/null
+++ b/ghostscript-9.54.0-Fix-op-stack-management-in-sampled_data_c.patch
@@ -0,0 +1,64 @@
+From 2a3129365d3bc0d4a41f107ef175920d1505d1f7 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Tue, 1 Jun 2021 19:57:16 +0100
+Subject: [PATCH] Bug 703902: Fix op stack management in
+ sampled_data_continue()
+
+Replace pop() (which does no checking, and doesn't handle stack extension
+blocks) with ref_stack_pop() which does do all that.
+
+We still use pop() in one case (it's faster), but we have to later use
+ref_stack_pop() before calling sampled_data_sample() which also accesses the
+op stack.
+
+Fixes:
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675
+---
+ psi/zfsample.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/psi/zfsample.c b/psi/zfsample.c
+index 0e8e4bc8d..00cd0cfdd 100644
+--- a/psi/zfsample.c
++++ b/psi/zfsample.c
+@@ -533,15 +533,19 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
+         for (j = 0; j < bps; j++)
+             data_ptr[bps * i + j] = (byte)(cv >> ((bps - 1 - j) * 8));	/* MSB first */
+     }
+-    pop(num_out);		    /* Move op to base of result values */
+ 
+-    /* Check if we are done collecting data. */
++    pop(num_out); /* Move op to base of result values */
+ 
++    /* From here on, we have to use ref_stack_pop() rather than pop()
++       so that it handles stack extension blocks properly, before calling
++       sampled_data_sample() which also uses the op stack.
++     */
++    /* Check if we are done collecting data. */
+     if (increment_cube_indexes(params, penum->indexes)) {
+         if (stack_depth_adjust == 0)
+-            pop(O_STACK_PAD);	    /* Remove spare stack space */
++            ref_stack_pop(&o_stack, O_STACK_PAD);	    /* Remove spare stack space */
+         else
+-            pop(stack_depth_adjust - num_out);
++            ref_stack_pop(&o_stack, stack_depth_adjust - num_out);
+         /* Execute the closing procedure, if given */
+         code = 0;
+         if (esp_finish_proc != 0)
+@@ -554,11 +558,11 @@ sampled_data_continue(i_ctx_t *i_ctx_p)
+             if ((O_STACK_PAD - stack_depth_adjust) < 0) {
+                 stack_depth_adjust = -(O_STACK_PAD - stack_depth_adjust);
+                 check_op(stack_depth_adjust);
+-                pop(stack_depth_adjust);
++                ref_stack_pop(&o_stack, stack_depth_adjust);
+             }
+             else {
+                 check_ostack(O_STACK_PAD - stack_depth_adjust);
+-                push(O_STACK_PAD - stack_depth_adjust);
++                ref_stack_push(&o_stack, O_STACK_PAD - stack_depth_adjust);
+                 for (i=0;i<O_STACK_PAD - stack_depth_adjust;i++)
+                     make_null(op - i);
+             }
+-- 
+2.35.1
+
diff --git a/ghostscript.spec b/ghostscript.spec
index 545c17c..450aba9 100644
--- a/ghostscript.spec
+++ b/ghostscript.spec
@@ -42,7 +42,7 @@
 Name:             ghostscript
 Summary:          Interpreter for PostScript language & PDF
 Version:          9.54.0
-Release:          5%{?dist}
+Release:          6%{?dist}
 
 License:          AGPLv3+
 
@@ -102,7 +102,10 @@ BuildRequires:    make
 #Patch000: example000.patch
 Patch001: ghostscript-9.54.0-gdevtxtw-null-also-pointers.patch
 Patch002: ghostscript-9.54.0-include-pipe-handle-in-validation.patch
+#2032789 - coverity warnings fixes
 Patch003: ghostscript-9.54.0-covscan-fixes.patch
+#2049767 -  CVE-2021-45949 heap-based buffer overflow in sampled_data_finish
+Patch004: ghostscript-9.54.0-Fix-op-stack-management-in-sampled_data_c.patch
 
 # Downstream patches -- these should be always included when doing rebase:
 # ------------------
@@ -436,7 +439,10 @@ done
 # =============================================================================
 
 %changelog
-* Mon Feb 21 2021 Richard Lescak <rlescak@redhat.com> - 9.54.0-5
+* Tue Feb 22 2022 Richard Lescak <rlescak@redhat.com> - 9.54.0-6
+- Added fix for vulnerability CVE-2021-45949 (#2049767)
+
+* Mon Feb 21 2022 Richard Lescak <rlescak@redhat.com> - 9.54.0-5
 - Added coverity fixes (#2032789)
 
 * Thu Sep 16 2021 Richard Lescak <rlescak@redhat.com> - 9.54.0-4