From bb9248dc5870f0a3266a6f00f60295eb1aab0b04 Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Wed, 16 Apr 2025 12:37:03 +0200
Subject: [PATCH] RHEL-67053 CVE-2024-46956 ghostscript: Out-of-Bounds Data
 Access in Ghostscript Leads to Arbitrary Code Execution

Resolves: RHEL-67053
---
 ...Script-interpreter-fix-buffer-length-check.patch | 13 +++++++++++++
 ghostscript.spec                                    |  4 ++++
 2 files changed, 17 insertions(+)
 create mode 100644 0001-PostScript-interpreter-fix-buffer-length-check.patch

diff --git a/0001-PostScript-interpreter-fix-buffer-length-check.patch b/0001-PostScript-interpreter-fix-buffer-length-check.patch
new file mode 100644
index 0000000..0dcf0d5
--- /dev/null
+++ b/0001-PostScript-interpreter-fix-buffer-length-check.patch
@@ -0,0 +1,13 @@
+diff --git a/psi/zfile.c b/psi/zfile.c
+index 05b8203..ee40a75 100644
+--- a/psi/zfile.c
++++ b/psi/zfile.c
+@@ -437,7 +437,7 @@ file_continue(i_ctx_t *i_ctx_p)
+         if (code == ~(uint) 0) {    /* all done */
+             esp -= 5;               /* pop proc, pfen, devlen, iodev , mark */
+             return o_pop_estack;
+-        } else if (code > len) {      /* overran string */
++        } else if (code > len - devlen) {      /* overran string */
+             return_error(gs_error_rangecheck);
+         }
+         else if (iodev != iodev_default(imemory)
diff --git a/ghostscript.spec b/ghostscript.spec
index 225ba50..6f4aa5f 100644
--- a/ghostscript.spec
+++ b/ghostscript.spec
@@ -135,6 +135,9 @@ Patch019: 0001-Bug-707788-Fix-decode_utf8-to-forbid-overlong-encodi.patch
 # RHEL-67053 CVE-2024-46953 ghostscript: Path Traversal and Code Execution via Integer Overflow in Ghostscript
 # https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=1f21a45df0fa3abec
 Patch020: 0001-Bug-707793-Check-for-overflow-validating-format-stri.patch
+# RHEL-67053 CVE-2024-46956 ghostscript: Out-of-Bounds Data Access in Ghostscript Leads to Arbitrary Code Execution
+# https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f4151f12db32cd3
+Patch021: 0001-PostScript-interpreter-fix-buffer-length-check.patch
 
 # Downstream patches -- these should be always included when doing rebase:
 # ------------------
@@ -473,6 +476,7 @@ done
 - RHEL-67048 CVE-2024-46951 ghostscript: Arbitrary Code Execution in Artifex Ghostscript Pattern Color Space
 - RHEL-67053 CVE-2024-46954 ghostscript: Directory Traversal in Ghostscript via Overlong UTF-8 Encoding
 - RHEL-67053 CVE-2024-46953 ghostscript: Path Traversal and Code Execution via Integer Overflow in Ghostscript
+- RHEL-67053 CVE-2024-46956 ghostscript: Out-of-Bounds Data Access in Ghostscript Leads to Arbitrary Code Execution
 
 * Mon Jul 08 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.54.0-17
 - RHEL-44759 CVE-2024-33870 ghostscript: path traversal to arbitrary files if the current directory is in the permitted paths