From f49812186baa7d1362880673408a6fbe8719b4f8 Mon Sep 17 00:00:00 2001
From: Zdenek Hutyra <zhutyra@centrum.cz>
Date: Fri, 30 Aug 2024 13:16:39 +0100
Subject: [PATCH] PS interpreter - check the type of the Pattern Implementation

Bug #707991

See bug report for details.

CVE-2024-46951
---
 psi/zcolor.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/psi/zcolor.c b/psi/zcolor.c
index d4e7a4438..d3384d75d 100644
--- a/psi/zcolor.c
+++ b/psi/zcolor.c
@@ -5276,6 +5276,9 @@ static int patterncomponent(i_ctx_t * i_ctx_p, ref *space, int *n)
             code = array_get(imemory, pImpl, 0, &pPatInst);
             if (code < 0)
                 return code;
+
+            if (!r_is_struct(&pPatInst) || (!r_has_stype(&pPatInst, imemory, st_pattern1_instance) && !r_has_stype(&pPatInst, imemory, st_pattern2_instance)))
+                return_error(gs_error_typecheck);
             cc.pattern = r_ptr(&pPatInst, gs_pattern_instance_t);
             if (pattern_instance_uses_base_space(cc.pattern))
                 *n = n_comps;
-- 
2.49.0