From 7e87eee02ea6a0abfb3fe92d3eaf7446a048ae11 Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Wed, 16 Apr 2025 12:33:37 +0200
Subject: [PATCH] RHEL-67048 CVE-2024-46951 ghostscript: Arbitrary Code
 Execution in Artifex Ghostscript Pattern Color Space

Resolves: RHEL-67048
---
 ...heck-the-type-of-the-Pattern-Impleme.patch | 31 +++++++++++++++++++
 ghostscript.spec                              |  3 ++
 2 files changed, 34 insertions(+)
 create mode 100644 0001-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch

diff --git a/0001-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch b/0001-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch
new file mode 100644
index 0000000..4fd4c18
--- /dev/null
+++ b/0001-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch
@@ -0,0 +1,31 @@
+From f49812186baa7d1362880673408a6fbe8719b4f8 Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Fri, 30 Aug 2024 13:16:39 +0100
+Subject: [PATCH] PS interpreter - check the type of the Pattern Implementation
+
+Bug #707991
+
+See bug report for details.
+
+CVE-2024-46951
+---
+ psi/zcolor.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/psi/zcolor.c b/psi/zcolor.c
+index d4e7a4438..d3384d75d 100644
+--- a/psi/zcolor.c
++++ b/psi/zcolor.c
+@@ -5276,6 +5276,9 @@ static int patterncomponent(i_ctx_t * i_ctx_p, ref *space, int *n)
+             code = array_get(imemory, pImpl, 0, &pPatInst);
+             if (code < 0)
+                 return code;
++
++            if (!r_is_struct(&pPatInst) || (!r_has_stype(&pPatInst, imemory, st_pattern1_instance) && !r_has_stype(&pPatInst, imemory, st_pattern2_instance)))
++                return_error(gs_error_typecheck);
+             cc.pattern = r_ptr(&pPatInst, gs_pattern_instance_t);
+             if (pattern_instance_uses_base_space(cc.pattern))
+                 *n = n_comps;
+-- 
+2.49.0
+
diff --git a/ghostscript.spec b/ghostscript.spec
index 2d21c00..651ce8c 100644
--- a/ghostscript.spec
+++ b/ghostscript.spec
@@ -123,6 +123,8 @@ Patch014: gs-CVE-2024-33869.patch
 Patch015: 0001-Uniprint-device-prevent-string-configuration-changes.patch
 # RHEL-18397 CVE-2023-46751 ghostscript: dangling pointer in gdev_prn_open_printer_seekable()
 Patch016: gs-cve-2023-46751.patch
+# RHEL-67048 CVE-2024-46951 ghostscript: Arbitrary Code Execution in Artifex Ghostscript Pattern Color Space
+Patch017: 0001-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch
 
 # Downstream patches -- these should be always included when doing rebase:
 # ------------------
@@ -458,6 +460,7 @@ done
 %changelog
 * Tue Apr 15 2025 Zdenek Dohnal <zdohnal@redhat.com> - 9.54.0-18
 - RHEL-18397 CVE-2023-46751 ghostscript: dangling pointer in gdev_prn_open_printer_seekable()
+- RHEL-67048 CVE-2024-46951 ghostscript: Arbitrary Code Execution in Artifex Ghostscript Pattern Color Space
 
 * Mon Jul 08 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.54.0-17
 - RHEL-44759 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths