- Applied patch to fix CVE-2009-0792 (bug #491853).

- Applied patch to fix CVE-2009-0196 (bug #493379).
- Applied patch to fix CVE-2008-6679 (bug #493445).

ghostscript-CVE-2008-6679.patch

@@ -0,0 +1,12 @@
+diff -up ghostscript-8.63/src/gdevpdtb.c.CVE-2008-6679 ghostscript-8.63/src/gdevpdtb.c
+--- ghostscript-8.63/src/gdevpdtb.c.CVE-2008-6679	2008-04-04 09:53:57.000000000 +0100
++++ ghostscript-8.63/src/gdevpdtb.c	2009-04-15 16:43:11.000000000 +0100
+@@ -133,7 +133,7 @@ pdf_base_font_alloc(gx_device_pdf *pdev,
+ 			&st_pdf_base_font, "pdf_base_font_alloc");
+     const gs_font_name *pfname = &font->font_name;
+     gs_const_string font_name;
+-    char fnbuf[3 + sizeof(long) / 3 + 1]; /* .F#######\0 */
++    char fnbuf[2*sizeof(long) + 3]; /* .F########\0 */
+     int code;
+ 
+     if (pbfont == 0)

ghostscript-CVE-2009-0196.patch

@@ -0,0 +1,19 @@
+diff -up ghostscript-8.63/jbig2dec/jbig2_symbol_dict.c.CVE-2009-0196 ghostscript-8.63/jbig2dec/jbig2_symbol_dict.c
+--- ghostscript-8.63/jbig2dec/jbig2_symbol_dict.c.CVE-2009-0196	2007-12-11 08:29:58.000000000 +0000
++++ ghostscript-8.63/jbig2dec/jbig2_symbol_dict.c	2009-04-15 16:40:13.000000000 +0100
+@@ -699,6 +699,15 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
+         exrunlength = params->SDNUMEXSYMS;
+       else
+         code = jbig2_arith_int_decode(IAEX, as, &exrunlength);
++      if (exrunlength > params->SDNUMEXSYMS - j) {
++        jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
++          "runlength too large in export symbol table (%d > %d - %d)\n",
++          exrunlength, params->SDNUMEXSYMS, j);
++        jbig2_sd_release(ctx, SDEXSYMS);
++        /* skip to the cleanup code and return SDEXSYMS = NULL */
++        SDEXSYMS = NULL;
++        break;
++      }
+       for(k = 0; k < exrunlength; k++)
+         if (exflag) {
+           SDEXSYMS->glyphs[j++] = (i < m) ? 

ghostscript-CVE-2009-0792.patch

@@ -0,0 +1,166 @@
+diff -up ghostscript-8.63/icclib/icc.c.CVE-2009-0792 ghostscript-8.63/icclib/icc.c
+--- ghostscript-8.63/icclib/icc.c.CVE-2009-0792	2009-04-15 16:37:49.000000000 +0100
++++ ghostscript-8.63/icclib/icc.c	2009-04-15 16:38:00.000000000 +0100
+@@ -2982,7 +2982,7 @@ static int icmCurve_lookup_fwd(
+ 			rv |= 1;
+ 		}
+ 		ix = (int)floor(val);		/* Coordinate */
+-		if (ix > (p->size-2))
++		if (ix < 0 || ix > (p->size-2))
+ 			ix = (p->size-2);
+ 		w = val - (double)ix;		/* weight */
+ 		val = p->data[ix];
+@@ -3004,6 +3004,11 @@ static int icmTable_setup_bwd(
+ ) {
+ 	int i;
+ 
++	if (size > INT_MAX - 2)
++		/* Although rt->size is unsigned long, the rt data
++		 * structure uses int data types to store indices. */
++		return 2;
++
+ 	rt->size = size;		/* Stash pointers to these away */
+ 	rt->data = data;
+ 	
+@@ -3022,7 +3027,7 @@ static int icmTable_setup_bwd(
+ 	rt->qscale = (double)rt->rsize/(rt->rmax - rt->rmin);	/* Scale factor to quantize to */
+ 	
+ 	/* Initialize the reverse lookup structures, and get overall min/max */
+-	if ((rt->rlists = (int **) icp->al->calloc(icp->al, 1, rt->rsize * sizeof(int *))) == NULL) {
++	if ((rt->rlists = (int **) icp->al->calloc(icp->al, rt->rsize, sizeof(int *))) == NULL) {
+ 		return 2;
+ 	}
+ 
+@@ -3035,6 +3040,15 @@ static int icmTable_setup_bwd(
+ 			int t;
+ 			t = s; s = e; e = t;
+ 		}
++		/* s and e should both be in the range [0,rt->rsize]
++		 * now, but let's not rely on floating point
++		 * calculations -- double-check. */
++		if (s < 0)
++			s = 0;
++		if (e < 0)
++			e = 0;
++		if (s >= rt->rsize)
++			s = rt->rsize-1;
+ 		if (e >= rt->rsize)
+ 			e = rt->rsize-1;
+ 
+@@ -3053,6 +3067,9 @@ static int icmTable_setup_bwd(
+ 				as = rt->rlists[j][0];	/* Allocate space for this list */
+ 				nf = rt->rlists[j][1];	/* Next free location in list */
+ 				if (nf >= as) {			/* need to expand space */
++					if (as > INT_MAX / 2 / sizeof (int))
++						return 2;
++
+ 					as *= 2;
+ 					rt->rlists[j] = (int *) icp->al->realloc(icp->al,rt->rlists[j], sizeof(int) * as);
+ 					if (rt->rlists[j] == NULL) {
+@@ -3104,7 +3121,7 @@ static int icmTable_lookup_bwd(
+ 		val = rsize_1;
+ 	ix = (int)floor(val);		/* Coordinate */
+ 
+-	if (ix > (rt->size-2))
++	if (ix < 0 || ix > (rt->size-2))
+ 		ix = (rt->size-2);
+ 	if (rt->rlists[ix] != NULL)  {		/* There is a list of fwd candidates */
+ 		/* For each candidate forward range */
+@@ -3131,6 +3148,7 @@ static int icmTable_lookup_bwd(
+ 	/* We have failed to find an exact value, so return the nearest value */
+ 	/* (This is slow !) */
+ 	val = fabs(ival - rt->data[0]);
++	/* rt->size is known to be < INT_MAX */
+ 	for (k = 0, i = 1; i < rt->size; i++) {
+ 		double er;
+ 		er = fabs(ival - rt->data[i]);
+@@ -3671,7 +3689,7 @@ static int icmData_allocate(
+ 	if (p->size != p->_size) {
+ 		if (p->data != NULL)
+ 			icp->al->free(icp->al, p->data);
+-		if ((p->data = (unsigned char *) icp->al->malloc(icp->al, p->size * sizeof(unsigned char))) == NULL) {
++		if ((p->data = (unsigned char *) icp->al->calloc(icp->al, p->size, sizeof(unsigned char))) == NULL) {
+ 			sprintf(icp->err,"icmData_alloc: malloc() of icmData data failed");
+ 			return icp->errc = 2;
+ 		}
+@@ -3887,7 +3905,7 @@ static int icmText_allocate(
+ 	if (p->size != p->_size) {
+ 		if (p->data != NULL)
+ 			icp->al->free(icp->al, p->data);
+-		if ((p->data = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) {
++		if ((p->data = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) {
+ 			sprintf(icp->err,"icmText_alloc: malloc() of icmText data failed");
+ 			return icp->errc = 2;
+ 		}
+@@ -4301,7 +4319,7 @@ double *in		/* Input array[inputChan] */
+ 			rv |= 1;
+ 		}
+ 		ix = (int)floor(val);		/* Grid coordinate */
+-		if (ix > (p->inputEnt-2))
++		if (ix < 0 || ix > (p->inputEnt-2))
+ 			ix = (p->inputEnt-2);
+ 		w = val - (double)ix;		/* weight */
+ 		val = table[ix];
+@@ -4360,7 +4378,7 @@ double *in		/* Input array[outputChan] *
+ 				rv |= 1;
+ 			}
+ 			x = (int)floor(val);		/* Grid coordinate */
+-			if (x > clutPoints_2)
++			if (x < 0 || x > clutPoints_2)
+ 				x = clutPoints_2;
+ 			co[e] = val - (double)x;	/* 1.0 - weight */
+ 			gp += x * p->dinc[e];		/* Add index offset for base of cube */
+@@ -4433,7 +4451,7 @@ double *in		/* Input array[outputChan] *
+ 				rv |= 1;
+ 			}
+ 			x = (int)floor(val);		/* Grid coordinate */
+-			if (x > clutPoints_2)
++			if (x < 0 || x > clutPoints_2)
+ 				x = clutPoints_2;
+ 			co[e] = val - (double)x;	/* 1.0 - weight */
+ 			gp += x * p->dinc[e];		/* Add index offset for base of cube */
+@@ -4506,7 +4524,7 @@ double *in		/* Input array[outputChan] *
+ 			rv |= 1;
+ 		}
+ 		ix = (int)floor(val);		/* Grid coordinate */
+-		if (ix > (p->outputEnt-2))
++		if (ix < 0 || ix > (p->outputEnt-2))
+ 			ix = (p->outputEnt-2);
+ 		w = val - (double)ix;		/* weight */
+ 		val = table[ix];
+@@ -6714,7 +6732,7 @@ static int icmTextDescription_allocate(
+ 	if (p->size != p->_size) {
+ 		if (p->desc != NULL)
+ 			icp->al->free(icp->al, p->desc);
+-		if ((p->desc = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) {
++		if ((p->desc = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) {
+ 			sprintf(icp->err,"icmTextDescription_alloc: malloc() of Ascii description failed");
+ 			return icp->errc = 2;
+ 		}
+@@ -7888,7 +7906,7 @@ static int icmUcrBg_allocate(
+ 	if (p->size != p->_size) {
+ 		if (p->string != NULL)
+ 			icp->al->free(icp->al, p->string);
+-		if ((p->string = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) {
++		if ((p->string = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) {
+ 			sprintf(icp->err,"icmUcrBg_allocate: malloc() of string data failed");
+ 			return icp->errc = 2;
+ 		}
+@@ -8827,7 +8845,7 @@ static int icmCrdInfo_allocate(
+ 	if (p->ppsize != p->_ppsize) {
+ 		if (p->ppname != NULL)
+ 			icp->al->free(icp->al, p->ppname);
+-		if ((p->ppname = (char *) icp->al->malloc(icp->al, p->ppsize * sizeof(char))) == NULL) {
++		if ((p->ppname = (char *) icp->al->calloc(icp->al, p->ppsize, sizeof(char))) == NULL) {
+ 			sprintf(icp->err,"icmCrdInfo_alloc: malloc() of string data failed");
+ 			return icp->errc = 2;
+ 		}
+@@ -8837,7 +8855,7 @@ static int icmCrdInfo_allocate(
+ 		if (p->crdsize[t] != p->_crdsize[t]) {
+ 			if (p->crdname[t] != NULL)
+ 				icp->al->free(icp->al, p->crdname[t]);
+-			if ((p->crdname[t] = (char *) icp->al->malloc(icp->al, p->crdsize[t] * sizeof(char))) == NULL) {
++			if ((p->crdname[t] = (char *) icp->al->calloc(icp->al, p->crdsize[t], sizeof(char))) == NULL) {
+ 				sprintf(icp->err,"icmCrdInfo_alloc: malloc() of CRD%d name string failed",t);
+ 				return icp->errc = 2;
+ 			}

ghostscript.spec

@@ -5,7 +5,7 @@ Summary: A PostScript(TM) interpreter and renderer.
 Name: ghostscript
 Version: %{gs_ver}
 
-Release: 5%{?dist}
+Release: 6%{?dist}
 
 License: GPLv2
 URL: http://www.ghostscript.com/
@@ -22,6 +22,9 @@ Patch5: ghostscript-runlibfileifexists.patch
 Patch6: ghostscript-system-jasper.patch
 Patch7: ghostscript-pksmraw.patch
 Patch8: ghostscript-CVE-2009-0583,0584.patch
+Patch9: ghostscript-CVE-2009-0792.patch
+Patch10: ghostscript-CVE-2009-0196.patch
+Patch11: ghostscript-CVE-2008-6679.patch
 
 Requires: urw-fonts >= 1.1, ghostscript-fonts
 BuildRequires: libjpeg-devel, libXt-devel
@@ -109,6 +112,15 @@ rm -rf libpng zlib jpeg jasper
 # (bug #487744).
 %patch8 -p1 -b .CVE-2009-0583,0584
 
+# Applied patch to fix CVE-2009-0792 (bug #491853).
+%patch9 -p1 -b .CVE-2009-0792
+
+# Applied patch to fix CVE-2009-0196 (bug #493379).
+%patch10 -p1 -b .CVE-2009-0196
+
+# Applied patch to fix CVE-2008-6679 (bug #493445).
+%patch11 -p1 -b .CVE-2008-6679
+
 # Convert manual pages to UTF-8
 from8859_1() {
 	iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_"
@@ -293,6 +305,11 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/libgs.so
 
 %changelog
+* Wed Apr 15 2009 Tim Waugh <twaugh@redhat.com> 8.63-6
+- Applied patch to fix CVE-2009-0792 (bug #491853).
+- Applied patch to fix CVE-2009-0196 (bug #493379).
+- Applied patch to fix CVE-2008-6679 (bug #493445).
+
 * Fri Mar 20 2009 Tim Waugh <twaugh@redhat.com> 8.63-5
 - Applied patch to fix CVE-2009-0583 (bug #487742) and CVE-2009-0584
   (bug #487744).