Upstream patch to fix pdfwrite segfault (bug #962120).

ghostscript-pdfwrite-segfault.patch

@@ -0,0 +1,51 @@
+diff -up ghostscript-9.06/base/gdevpdtd.c.pdfwrite-segfault ghostscript-9.06/base/gdevpdtd.c
+--- ghostscript-9.06/base/gdevpdtd.c.pdfwrite-segfault	2012-08-08 09:01:36.000000000 +0100
++++ ghostscript-9.06/base/gdevpdtd.c	2013-05-16 09:28:07.410407852 +0100
+@@ -699,7 +699,7 @@ pdf_write_FontDescriptor(gx_device_pdf *
+         if (code < 0)
+             return code;
+     }
+-    if (pfd->embed) {
++    if (pfd->embed && pfd->base_font->FontFile) {
+         code = pdf_write_FontFile_entry(pdev, pfd->base_font);
+         if (code < 0)
+             return code;
+diff -up ghostscript-9.06/base/gxtype1.c.pdfwrite-segfault ghostscript-9.06/base/gxtype1.c
+--- ghostscript-9.06/base/gxtype1.c.pdfwrite-segfault	2012-08-08 09:01:36.000000000 +0100
++++ ghostscript-9.06/base/gxtype1.c	2013-05-16 09:28:07.409407814 +0100
+@@ -371,7 +371,7 @@ gs_type1_piece_codes(/*const*/ gs_font_t
+     const byte *cip, *end;
+     crypt_state state;
+     int c, hhints = 0, vhints = 0;
+-    int code;
++    int code, call_depth = 0;
+ 
+     CLEAR_CSTACK(cstack, csp);
+     cip = pgd->bits.data;
+@@ -450,6 +450,7 @@ gs_type1_piece_codes(/*const*/ gs_font_t
+             }
+             break;
+         case c2_callgsubr:
++            call_depth++;
+             c = fixed2int_var(*csp) + pdata->gsubrNumberBias;
+             code = pdata->procs.subr_data
+                 (pfont, c, true, &ipsp[1].cs_data);
+@@ -462,6 +463,7 @@ gs_type1_piece_codes(/*const*/ gs_font_t
+             end = ipsp->cs_data.bits.data + ipsp->cs_data.bits.size;
+             goto call;
+         case c_callsubr:
++            call_depth++;
+             c = fixed2int_var(*csp) + pdata->subroutineNumberBias;
+             code = pdata->procs.subr_data
+                 (pfont, c, false, &ipsp[1].cs_data);
+@@ -474,6 +476,10 @@ gs_type1_piece_codes(/*const*/ gs_font_t
+             end = ipsp->cs_data.bits.data + ipsp->cs_data.bits.size;
+             goto call;
+         case c_return:
++            if (call_depth == 0)
++                return (gs_note_error(gs_error_invalidfont));
++            else
++                call_depth--;
+             gs_glyph_data_free(&ipsp->cs_data, "gs_type1_piece_codes");
+             --ipsp;
+             if (ipsp < ipstack)

ghostscript.spec

@@ -5,7 +5,7 @@ Summary: A PostScript interpreter and renderer
 Name: ghostscript
 Version: %{gs_ver}
 
-Release: 4%{?dist}
+Release: 5%{?dist}
 
 # Included CMap data is Redistributable, no modification permitted,
 # see http://bugzilla.redhat.com/487510
@@ -26,6 +26,7 @@ Patch10: ghostscript-cups-filters.patch
 Patch27: ghostscript-Fontmap.local.patch
 Patch28: ghostscript-iccprofiles-initdir.patch
 Patch29: ghostscript-gdevcups-debug-uninit.patch
+Patch30: ghostscript-pdfwrite-segfault.patch
 
 Requires: urw-fonts >= 1.1, ghostscript-fonts
 Requires: poppler-data
@@ -139,6 +140,9 @@ rm -rf expat freetype icclib jasper jpeg lcms2 libpng openjpeg zlib cups/libs
 # gdevcups: don't use uninitialized variables in debugging output.
 %patch29 -p1 -b .gdevcups-debug-uninit
 
+# Upstream patch to fix pdfwrite segfault (bug #962120).
+%patch30 -p1 -b .pdfwrite-segfault
+
 # Convert manual pages to UTF-8
 from8859_1() {
         iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_"
@@ -335,6 +339,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/libgs.so
 
 %changelog
+* Thu May 16 2013 Tim Waugh <twaugh@redhat.com> 9.06-5
+- Upstream patch to fix pdfwrite segfault (bug #962120).
+
 * Thu Apr 25 2013 Tim Waugh <twaugh@redhat.com>
 - Unowned directories (bug #902525).