From df75ada1e221567e27eb1a4de184e9dd505e1a63 Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Wed, 16 Apr 2025 13:12:01 +0200
Subject: [PATCH] RHEL-67046 CVE-2024-46951 ghostscript: Arbitrary Code
 Execution in Artifex Ghostscript Pattern Color Space

Resolves: RHEL-67046
---
 ...heck-the-type-of-the-Pattern-Impleme.patch | 31 +++++++++++++++++++
 ghostscript.spec                              |  3 ++
 2 files changed, 34 insertions(+)
 create mode 100644 0001-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch

diff --git a/0001-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch b/0001-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch
new file mode 100644
index 0000000..4fd4c18
--- /dev/null
+++ b/0001-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch
@@ -0,0 +1,31 @@
+From f49812186baa7d1362880673408a6fbe8719b4f8 Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Fri, 30 Aug 2024 13:16:39 +0100
+Subject: [PATCH] PS interpreter - check the type of the Pattern Implementation
+
+Bug #707991
+
+See bug report for details.
+
+CVE-2024-46951
+---
+ psi/zcolor.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/psi/zcolor.c b/psi/zcolor.c
+index d4e7a4438..d3384d75d 100644
+--- a/psi/zcolor.c
++++ b/psi/zcolor.c
+@@ -5276,6 +5276,9 @@ static int patterncomponent(i_ctx_t * i_ctx_p, ref *space, int *n)
+             code = array_get(imemory, pImpl, 0, &pPatInst);
+             if (code < 0)
+                 return code;
++
++            if (!r_is_struct(&pPatInst) || (!r_has_stype(&pPatInst, imemory, st_pattern1_instance) && !r_has_stype(&pPatInst, imemory, st_pattern2_instance)))
++                return_error(gs_error_typecheck);
+             cc.pattern = r_ptr(&pPatInst, gs_pattern_instance_t);
+             if (pattern_instance_uses_base_space(cc.pattern))
+                 *n = n_comps;
+-- 
+2.49.0
+
diff --git a/ghostscript.spec b/ghostscript.spec
index 9c395c3..7dbd8d6 100644
--- a/ghostscript.spec
+++ b/ghostscript.spec
@@ -133,6 +133,8 @@ Patch027: 0001-Bug-701949-Add-omitEOD-flag-to-RLE-compressor-and-us.patch
 # RHEL-18396 CVE-2023-46751 ghostscript: dangling pointer in gdev_prn_open_printer_seekable()
 # partially taken from https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=dcdbc595c13c9
 Patch028: gs-CVE-2023-46751.patch
+# RHEL-67046 CVE-2024-46951 ghostscript: Arbitrary Code Execution in Artifex Ghostscript Pattern Color Space
+Patch029: 0001-PS-interpreter-check-the-type-of-the-Pattern-Impleme.patch
 
 
 # Downstream patches -- these should be always included when doing rebase:
@@ -475,6 +477,7 @@ done
 %changelog
 * Tue Apr 15 2025 Zdenek Dohnal <zdohnal@redhat.com> - 9.27-16
 - RHEL-18396 CVE-2023-46751 ghostscript: dangling pointer in gdev_prn_open_printer_seekable()
+- RHEL-67046 CVE-2024-46951 ghostscript: Arbitrary Code Execution in Artifex Ghostscript Pattern Color Space
 
 * Mon Oct 14 2024 Zdenek Dohnal <zdohnal@redhat.com> - 9.27-15
 - fix printing PCL XL on some printers