From 6b149e453906496b46a2687ab3101400c92558da Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Wed, 16 Apr 2025 12:50:01 +0200
Subject: [PATCH] RHEL-67050 CVE-2024-46953 ghostscript: Path Traversal and
 Code Execution via Integer Overflow in Ghostscript

Resolves: RHEL-67050
---
 ...-for-overflow-validating-format-stri.patch | 67 +++++++++++++++++++
 ghostscript.spec                              |  4 ++
 2 files changed, 71 insertions(+)
 create mode 100644 0001-Bug-707793-Check-for-overflow-validating-format-stri.patch

diff --git a/0001-Bug-707793-Check-for-overflow-validating-format-stri.patch b/0001-Bug-707793-Check-for-overflow-validating-format-stri.patch
new file mode 100644
index 0000000..4cafbfc
--- /dev/null
+++ b/0001-Bug-707793-Check-for-overflow-validating-format-stri.patch
@@ -0,0 +1,67 @@
+From 1f21a45df0fa3abec4cff12951022b192dda3c00 Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Mon, 27 May 2024 13:38:36 +0100
+Subject: [PATCH] Bug 707793: Check for overflow validating format string
+
+for the output file name
+
+CVE-2024-46953
+---
+ base/gsdevice.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/base/gsdevice.c b/base/gsdevice.c
+index 90e699ab4..49354d833 100644
+--- a/base/gsdevice.c
++++ b/base/gsdevice.c
+@@ -1070,7 +1070,7 @@ static int
+ gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt)
+ {
+     bool have_format = false, field;
+-    int width[2], int_width = sizeof(int) * 3, w = 0;
++    uint width[2], int_width = sizeof(int) * 3, w = 0;
+     uint i;
+ 
+     /* Scan the file name for a format string, and validate it if present. */
+@@ -1099,6 +1099,8 @@ gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt)
+                         default: /* width (field = 0) and precision (field = 1) */
+                             if (strchr("0123456789", pfn->fname[i])) {
+                                 width[field] = width[field] * 10 + pfn->fname[i] - '0';
++                                if (width[field] > max_int)
++	                                return_error(gs_error_undefinedfilename);
+                                 continue;
+                             } else if (0 == field && '.' == pfn->fname[i]) {
+                                 field++;
+@@ -1127,8 +1129,10 @@ gx_parse_output_format(gs_parsed_file_name_t *pfn, const char **pfmt)
+         /* Calculate a conservative maximum width. */
+         w = max(width[0], width[1]);
+         w = max(w, int_width) + 5;
++        if (w > max_int)
++            return_error(gs_error_undefinedfilename);
+     }
+-    return w;
++    return (int)w;
+ }
+ 
+ /*
+@@ -1181,10 +1185,15 @@ gx_parse_output_file_name(gs_parsed_file_name_t *pfn, const char **pfmt,
+     if (!pfn->fname)
+         return 0;
+     code = gx_parse_output_format(pfn, pfmt);
+-    if (code < 0)
++    if (code < 0) {
+         return code;
+-    if (strlen(pfn->iodev->dname) + pfn->len + code >= gp_file_name_sizeof)
++    }
++
++    if (pfn->len >= gp_file_name_sizeof - strlen(pfn->iodev->dname) ||
++        code >= gp_file_name_sizeof - strlen(pfn->iodev->dname) - pfn->len) {
+         return_error(gs_error_undefinedfilename);
++    }
++
+     return 0;
+ }
+ 
+-- 
+2.49.0
+
diff --git a/ghostscript.spec b/ghostscript.spec
index 3ddd5df..42de6da 100644
--- a/ghostscript.spec
+++ b/ghostscript.spec
@@ -138,6 +138,9 @@ Patch: 0001-PDF-interpreter-sanitise-W-array-values-in-Xref-stre.patch
 # RHEL-67050 CVE-2024-46954 ghostscript: Directory Traversal in Ghostscript via Overlong UTF-8 Encoding
 # https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=282f691f5e57b6b
 Patch: 0001-Bug-707788-Fix-decode_utf8-to-forbid-overlong-encodi.patch
+# RHEL-67050 CVE-2024-46953 ghostscript: Path Traversal and Code Execution via Integer Overflow in Ghostscript
+# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=1f21a45df0fa3abec
+Patch: 0001-Bug-707793-Check-for-overflow-validating-format-stri.patch
 
 
 # Downstream patches -- these should be always included when doing rebase:
@@ -459,6 +462,7 @@ done
 - RHEL-67044 CVE-2024-46951 ghostscript: Arbitrary Code Execution in Artifex Ghostscript Pattern Color Space
 - RHEL-67050 CVE-2024-46952 ghostscript: Buffer Overflow in Ghostscript PDF XRef Stream Handling
 - RHEL-67050 CVE-2024-46954 ghostscript: Directory Traversal in Ghostscript via Overlong UTF-8 Encoding
+- RHEL-67050 CVE-2024-46953 ghostscript: Path Traversal and Code Execution via Integer Overflow in Ghostscript
 
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 10.02.1-14
 - Bump release for October 2024 mass rebuild: