!179 Sync some patches from community

From: @hugel 
Reviewed-by: @zhujianwei001 
Signed-off-by: @zhujianwei001

backport-CVE-2024-46951.patch

@@ -0,0 +1,31 @@
+From ada21374f0c90cc3acf7ce0e96302394560c7aee Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Fri, 30 Aug 2024 13:16:39 +0100
+Subject: [PATCH] PS interpreter - check the type of the Pattern Implementation
+
+Bug #707991
+
+See bug report for details.
+
+CVE-2024-46951
+---
+ psi/zcolor.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/psi/zcolor.c b/psi/zcolor.c
+index d4e7a4438..d3384d75d 100644
+--- a/psi/zcolor.c
++++ b/psi/zcolor.c
+@@ -5276,6 +5276,9 @@ static int patterncomponent(i_ctx_t * i_ctx_p, ref *space, int *n)
+             code = array_get(imemory, pImpl, 0, &pPatInst);
+             if (code < 0)
+                 return code;
++
++            if (!r_is_struct(&pPatInst) || (!r_has_stype(&pPatInst, imemory, st_pattern1_instance) && !r_has_stype(&pPatInst, imemory, st_pattern2_instance)))
++                return_error(gs_error_typecheck);
+             cc.pattern = r_ptr(&pPatInst, gs_pattern_instance_t);
+             if (pattern_instance_uses_base_space(cc.pattern))
+                 *n = n_comps;
+-- 
+2.34.1
+

backport-CVE-2024-46955.patch

@@ -0,0 +1,60 @@
+From ca1fc2aefe9796e321d0589afe7efb35063c8b2a Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Fri, 30 Aug 2024 13:11:53 +0100
+Subject: [PATCH] PS interpreter - check Indexed colour space index
+
+Bug #707990 "Out of bounds read when reading color in "Indexed" color space"
+
+Check the 'index' is in the valid range (0 to hival) for the colour
+space.
+
+Also a couple of additional checks on the type of the 'proc' for
+Indexed, DeviceN and Separation spaces. Make sure these really are
+procs in case the user changed the colour space array.
+
+CVE-2024-46955
+---
+ psi/zcolor.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/psi/zcolor.c b/psi/zcolor.c
+index 373bc06..7c00033 100644
+--- a/psi/zcolor.c
++++ b/psi/zcolor.c
+@@ -3635,6 +3635,7 @@ static int septransform(i_ctx_t *i_ctx_p, ref *sepspace, int *usealternate, int
+         code = array_get(imemory, sepspace, 3, &proc);
+         if (code < 0)
+             return code;
++        check_proc(proc);
+         *esp = proc;
+         return o_push_estack;
+     }
+@@ -4457,6 +4458,7 @@ static int devicentransform(i_ctx_t *i_ctx_p, ref *devicenspace, int *usealterna
+         code = array_get(imemory, devicenspace, 3, &proc);
+         if (code < 0)
+             return code;
++		check_proc(proc);
+         *esp = proc;
+         return o_push_estack;
+     }
+@@ -4872,6 +4874,7 @@ static int indexedbasecolor(i_ctx_t * i_ctx_p, ref *space, int base, int *stage,
+             code = array_get(imemory, space, 3, &proc);
+             if (code < 0)
+                 return code;
++            check_proc(proc);
+             *ep = proc;	/* lookup proc */
+             return o_push_estack;
+         } else {
+@@ -4885,6 +4888,9 @@ static int indexedbasecolor(i_ctx_t * i_ctx_p, ref *space, int base, int *stage,
+             if (!r_has_type(op, t_integer))
+                 return_error (gs_error_typecheck);
+             index = op->value.intval;
++            /* Ensure it is in range. See bug #707990 */
++            if (index < 0 || index > pcs->params.indexed.hival)
++                return_error(gs_error_rangecheck);
+             /* And remove it from the stack. */
+             pop(1);
+             op = osp;
+-- 
+2.33.0
+

backport-CVE-2024-46956.patch

@@ -0,0 +1,30 @@
+From ea69a1388245ad959d31c272b5ba66d40cebba2c Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Tue, 23 Jul 2024 11:48:39 +0100
+Subject: [PATCH] PostScript interpreter - fix buffer length check
+
+Bug 707895
+
+See bug report for details.
+
+CVE-2024-46956
+---
+ psi/zfile.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/psi/zfile.c b/psi/zfile.c
+index fe3f7e9..027f412 100644
+--- a/psi/zfile.c
++++ b/psi/zfile.c
+@@ -440,7 +440,7 @@ file_continue(i_ctx_t *i_ctx_p)
+         if (code == ~(uint) 0) {    /* all done */
+             esp -= 5;               /* pop proc, pfen, devlen, iodev , mark */
+             return o_pop_estack;
+-        } else if (code > len) {      /* overran string */
++        } else if (code > len - devlen) {      /* overran string */
+             return_error(gs_error_rangecheck);
+         }
+         else if (iodev != iodev_default(imemory)
+-- 
+2.27.0
+

backport-CVE-2025-27830.patch

@@ -0,0 +1,55 @@
+Backport of:
+
+From 8474e1d6b896e35741d3c608ea5c21deeec1078f Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Mon, 13 Jan 2025 09:15:01 +0000
+Subject: Bug 708241: Fix potential Buffer overflow with DollarBlend
+
+During serializing a multiple master font for passing to Freetype.
+
+Use CVE-2025-27830
+---
+ base/write_t1.c | 9 +++++----
+ psi/zfapi.c     | 9 +++++++--
+ 2 files changed, 12 insertions(+), 6 deletions(-)
+
+--- a/base/write_t1.c
++++ b/base/write_t1.c
+@@ -454,6 +454,7 @@ write_main_dictionary(gs_fapi_font * a_f
+     WRF_wbyte(a_fapi_font->memory, a_output, '\n');
+     if (is_MM_font(a_fapi_font)) {
+         short x, x2;
++        unsigned short ux;
+         float x1;
+         uint i, j, entries;
+         char Buffer[255];
+@@ -548,14 +549,14 @@ write_main_dictionary(gs_fapi_font * a_f
+          * be because the "get_proc" method below was missing the code to handle PS name
+          * objects.
+          */
+-        if ((x =
++        if ((ux =
+              a_fapi_font->get_word(a_fapi_font,
+                                    gs_fapi_font_feature_DollarBlend_length,
+                                    0)) > 0) {
+             WRF_wstring(a_fapi_font->memory, a_output, "/$Blend {");
+ 
+             if (a_output->m_count)
+-                a_output->m_count += x;
++                a_output->m_count += ux;
+             x = a_fapi_font->get_proc(a_fapi_font,
+                                       gs_fapi_font_feature_DollarBlend, 0,
+                                       (char *)a_output->m_pos);
+--- a/psi/zfapi.c
++++ b/psi/zfapi.c
+@@ -618,6 +618,10 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fa
+                         default:
+                             break;
+                     }
++
++                    if (length > max_ushort) {
++                        return 0;
++                    }
+                 }
+                 return length;
+             }

backport-CVE-2025-27832.patch

@@ -0,0 +1,41 @@
+From 36ac25fca7ba65a2a24d96d553e8dd63990210b9 Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Wed, 20 Nov 2024 11:42:31 +0000
+Subject: Bug 708133: Avoid integer overflow leading to buffer overflow
+
+The calculation of the buffer size was being done with int values, and
+overflowing that data type. By leaving the total size calculation to the
+memory manager, the calculation ends up being done in size_t values, and
+avoiding the overflow in this case, but also meaning the memory manager
+overflow protection will be effective.
+
+CVE-2025-27832
+---
+ contrib/japanese/gdevnpdl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/contrib/japanese/gdevnpdl.c b/contrib/japanese/gdevnpdl.c
+index 60065bacf..4967282bd 100644
+--- a/contrib/japanese/gdevnpdl.c
++++ b/contrib/japanese/gdevnpdl.c
+@@ -587,7 +587,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c
+     int code;
+     int maxY = lprn->BlockLine / lprn->nBh * lprn->nBh;
+ 
+-    if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)")))
++    if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size, maxY, "npdl_print_page_copies(CompBuf)")))
+         return_error(gs_error_VMerror);
+ 
+         /* Initialize printer */
+@@ -683,7 +683,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c
+     /* Form Feed */
+     gp_fputs("\014", prn_stream);
+ 
+-    gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)");
++    gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size, maxY, "npdl_print_page_copies(CompBuf)");
+     return 0;
+ }
+ 
+-- 
+cgit v1.2.3
+

backport-CVE-2025-27835.patch

@@ -0,0 +1,30 @@
+From 920fae688705b3a25a1f8925f3837219a6243565 Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Wed, 20 Nov 2024 11:27:52 +0000
+Subject: Bug 708131: Fix confusion between bytes and shorts
+
+We were copying data from a string in multiple of shorts, rather than multiple
+of bytes, leading to both an read (probably benign, given the memory manager)
+and write buffer overflow.
+
+CVE-2025-27835
+---
+ psi/zbfont.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/psi/zbfont.c b/psi/zbfont.c
+index acffb39ef..5850ab54d 100644
+--- a/psi/zbfont.c
++++ b/psi/zbfont.c
+@@ -253,7 +253,7 @@ gs_font_map_glyph_to_unicode(gs_font *font, gs_glyph glyph, int ch, ushort *u, u
+                     if (l > length)
+                         return l;
+ 
+-                    memcpy(unicode_return, v->value.const_bytes, l * sizeof(short));
++                    memcpy(unicode_return, v->value.const_bytes, l);
+                     return l;
+                 }
+                 if (r_type(v) == t_integer) {
+-- 
+cgit v1.2.3
+

backport-CVE-2025-27836.patch

@@ -0,0 +1,60 @@
+From db77f4c0ce0298625f75059cb6b8c31e61350753 Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Mon, 13 Jan 2025 09:07:57 +0000
+Subject: Bug 708192: Fix potential print buffer overflow
+
+CVE-2025-27836
+---
+ contrib/japanese/gdev10v.c | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/contrib/japanese/gdev10v.c b/contrib/japanese/gdev10v.c
+index 0bd3cec02..9d27573dc 100644
+--- a/contrib/japanese/gdev10v.c
++++ b/contrib/japanese/gdev10v.c
+@@ -199,17 +199,25 @@ bj10v_print_page(gx_device_printer *pdev, gp_file *prn_stream)
+         int bytes_per_column = bits_per_column / 8;
+         int x_skip_unit = bytes_per_column * (xres / 180);
+         int y_skip_unit = (yres / 180);
+-        byte *in = (byte *)gs_malloc(pdev->memory->non_gc_memory, 8, line_size, "bj10v_print_page(in)");
+-        /* We need one extra byte in <out> for our sentinel. */
+-        byte *out = (byte *)gs_malloc(pdev->memory->non_gc_memory, bits_per_column * line_size + 1, 1, "bj10v_print_page(out)");
++        byte *in, *out;
+         int lnum = 0;
+         int y_skip = 0;
+         int code = 0;
+         int blank_lines = 0;
+         int bytes_per_data = ((xres == 360) && (yres == 360)) ? 1 : 3;
+ 
+-        if ( in == 0 || out == 0 )
+-                return -1;
++        if (bits_per_column == 0 || line_size > (max_int - 1) / bits_per_column) {
++            code = gs_note_error(gs_error_rangecheck);
++            goto error;
++        }
++
++        in = (byte *)gs_malloc(pdev->memory->non_gc_memory, 8, line_size, "bj10v_print_page(in)");
++        /* We need one extra byte in <out> for our sentinel. */
++        out = (byte *)gs_malloc(pdev->memory->non_gc_memory, bits_per_column * line_size + 1, 1, "bj10v_print_page(out)");
++        if ( in == NULL || out == NULL ) {
++            code = gs_note_error(gs_error_VMerror);
++            goto error;
++        }
+ 
+         /* Initialize the printer. */
+         prn_puts(pdev, "\033@");
+@@ -320,8 +328,10 @@ notz:
+            }
+ 
+         /* Eject the page */
+-xit:	prn_putc(pdev, 014);	/* form feed */
++xit:
++        prn_putc(pdev, 014); /* form feed */
+         prn_flush(pdev);
++error:
+         gs_free(pdev->memory->non_gc_memory, (char *)out, bits_per_column, line_size, "bj10v_print_page(out)");
+         gs_free(pdev->memory->non_gc_memory, (char *)in, 8, line_size, "bj10v_print_page(in)");
+         return code;
+-- 
+cgit v1.2.3
+

backport-Fix-memory-leak-in-pdfwrite-device.patch

@@ -0,0 +1,45 @@
+From 90f0f92bf6bf9c346cd3f74adaa42a7c8a3702cb Mon Sep 17 00:00:00 2001
+From: Nancy Durgin <nancy.durgin@artifex.com>
+Date: Wed, 22 Jul 2020 12:24:05 -0700
+Subject: [PATCH] Fix memory leak in pdfwrite device
+
+This appears to only be a memory leak for non-garbage-collected interpreters
+such as pdfi.
+
+sclose() calls s_disable() which sets s->cbuf to 0.
+But it also calls client callbacks that might do things with cbuf first, so
+it will crash if we free it before calling sclose().
+Side-effects galore! :(
+
+Anyway, we save the pointer before doing the sclose() so we can
+properly free it afterwards.
+---
+ devices/vector/gdevpdfu.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/devices/vector/gdevpdfu.c b/devices/vector/gdevpdfu.c
+index 2b2af1d32..f58999444 100644
+--- a/devices/vector/gdevpdfu.c
++++ b/devices/vector/gdevpdfu.c
+@@ -1186,6 +1186,7 @@ stream_to_none(gx_device_pdf * pdev)
+         }
+         if (pdev->compression_at_page_start == pdf_compress_Flate) {	/* Terminate the filters. */
+             stream *fs = s->strm;
++            byte *buf;
+ 
+             if (!pdev->binary_ok) {
+                 sclose(s);	/* Terminate the ASCII85 filter. */
+@@ -1194,8 +1195,9 @@ stream_to_none(gx_device_pdf * pdev)
+                 pdev->strm = s = fs;
+                 fs = s->strm;
+             }
++            buf = s->cbuf; /* Save because sclose may zero it out (causing memory leak) */
+             sclose(s);		/* Next terminate the compression filter */
+-            gs_free_object(pdev->pdf_memory, s->cbuf, "zlib buffer");
++            gs_free_object(pdev->pdf_memory, buf, "zlib buffer");
+             gs_free_object(pdev->pdf_memory, s, "zlib stream");
+             pdev->strm = fs;
+         }
+-- 
+2.33.0
+

backport-Fix-memory-leak-on-error-in-bitmap_paint-and-its-cal.patch

@@ -0,0 +1,67 @@
+From 776cf430dd1a96a7da33c0d33af9a6dd42bffec0 Mon Sep 17 00:00:00 2001
+From: Julian Smith <jules@op59.net>
+Date: Mon, 25 May 2020 11:59:52 +0100
+Subject: [PATCH] Fix memory leak on error in bitmap_paint() and its callers.
+
+Previously, bitmap_paint() would free its 'gs_image_enum * pen' arg, but caller
+image_PaintProc() could also attempt to free this in one error path.
+
+So have changed bitmap_paint() to only free what it allocates - call
+gs_image_cleanup() instead of gs_image_cleanup_and_free_enum(); and patched
+its two callers, mask_PaintProc() and image_PaintProc(), to add calls to
+gs_free_object(pen).
+
+Fixes leak in:
+    MEMENTO_FAILAT=15601 ./ghostpdl/membin/gpcl6 -sDEVICE=pbmraw -o /dev/null tests_private/pcl/pcl5cfts/fts.0954
+---
+ base/gsptype1.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/base/gsptype1.c b/base/gsptype1.c
+index 57c856596..e7f41eac2 100644
+--- a/base/gsptype1.c
++++ b/base/gsptype1.c
+@@ -808,10 +808,10 @@ static int bitmap_paint(gs_image_enum * pen, gs_data_image_t * pim,
+ static int
+ mask_PaintProc(const gs_client_color * pcolor, gs_gstate * pgs)
+ {
++    int code;
+     const pixmap_info *ppmap = gs_getpattern(pcolor)->client_data;
+     const gs_depth_bitmap *pbitmap = &(ppmap->bitmap);
+-    gs_image_enum *pen =
+-    gs_image_enum_alloc(gs_gstate_memory(pgs), "mask_PaintProc");
++    gs_image_enum *pen = gs_image_enum_alloc(gs_gstate_memory(pgs), "mask_PaintProc");
+     gs_image1_t mask;
+ 
+     if (pen == 0)
+@@ -820,7 +820,9 @@ mask_PaintProc(const gs_client_color * pcolor, gs_gstate * pgs)
+     mask.Width = pbitmap->size.x;
+     mask.Height = pbitmap->size.y;
+     gs_image_init(pen, &mask, false, false, pgs);
+-    return bitmap_paint(pen, (gs_data_image_t *) & mask, pbitmap, pgs);
++    code = bitmap_paint(pen, (gs_data_image_t *) & mask, pbitmap, pgs);
++    gs_free_object(gs_gstate_memory(pgs), pen, "mask_PaintProc");
++    return code;
+ }
+ static int
+ image_PaintProc(const gs_client_color * pcolor, gs_gstate * pgs)
+@@ -896,6 +898,7 @@ image_PaintProc(const gs_client_color * pcolor, gs_gstate * pgs)
+                                      (gs_data_image_t *)&image,
+                                      pgs )) >= 0 &&
+         (code = bitmap_paint(pen, (gs_data_image_t *) & image, pbitmap, pgs)) >= 0) {
++        gs_free_object(gs_gstate_memory(pgs), pen, "image_PaintProc");
+         return gs_grestore(pgs);
+     }
+     /* Failed above, need to undo the gsave */
+@@ -922,7 +925,7 @@ bitmap_paint(gs_image_enum * pen, gs_data_image_t * pim,
+     else
+         for (n = pim->Height; n > 0 && code >= 0; dp += raster, --n)
+             code = gs_image_next(pen, dp, nbytes, &used);
+-    code1 = gs_image_cleanup_and_free_enum(pen, pgs);
++    code1 = gs_image_cleanup(pen, pgs);
+     if (code >= 0 && code1 < 0)
+         code = code1;
+     return code;
+-- 
+2.33.0
+

backport-Fix-memory-leaks-in-tiffsep.patch

@@ -0,0 +1,139 @@
+From ba2fdf5517af3bcd8a613fda84c532307d1e7024 Mon Sep 17 00:00:00 2001
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Fri, 29 May 2020 17:22:40 +0100
+Subject: [PATCH] Fix memory leaks in tiffsep.
+
+Calling TIFFCleanup doesn't close the underlying tiffio. Call
+TIFFClose instead.
+
+Now the tiff io close handler is actually called, be careful
+not to close the underlying file twice.
+
+Finally, actually remember to close the comp file.
+---
+ base/gstiffio.c    | 20 +++++++++++---------
+ devices/gdevtifs.c |  2 +-
+ devices/gdevtsep.c |  8 +++-----
+ 3 files changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/base/gstiffio.c b/base/gstiffio.c
+index ff67dc5e5..2ea8c54bd 100644
+--- a/base/gstiffio.c
++++ b/base/gstiffio.c
+@@ -105,11 +105,13 @@ gs_tifsCloseProc(thandle_t fd)
+ {
+     tifs_io_private *tiffio = (tifs_io_private *)fd;
+     gx_device_printer *pdev = tiffio->pdev;
+-    int code = gp_fclose(tiffio->f);
+-    
++
++    /* We don't close tiffio->f as this will be closed later by the
++     * device. */
++
+     gs_free(pdev->memory, tiffio, sizeof(tifs_io_private), 1, "gs_tifsCloseProc");
+ 
+-    return code;
++    return 0;
+ }
+ 
+ static uint64_t
+@@ -122,12 +124,12 @@ gs_tifsSizeProc(thandle_t fd)
+     if (curpos < 0) {
+         return(0);
+     }
+-    
++
+     if (gp_fseek(tiffio->f, (gs_offset_t)0, SEEK_END) < 0) {
+         return(0);
+     }
+     length = (uint64_t)gp_ftell(tiffio->f);
+-    
++
+     if (gp_fseek(tiffio->f, curpos, SEEK_SET) < 0) {
+         return(0);
+     }
+@@ -152,7 +154,7 @@ tiff_from_filep(gx_device_printer *dev,  const char *name, gp_file *filep, int b
+         mode[modelen++] = '8';
+ 
+     mode[modelen] = (char)0;
+-    
++
+     tiffio = (tifs_io_private *)gs_malloc(dev->memory, sizeof(tifs_io_private), 1, "tiff_from_filep");
+     if (!tiffio) {
+         return NULL;
+@@ -173,7 +175,7 @@ static void
+ gs_tifsWarningHandlerEx(thandle_t client_data, const char* module, const char* fmt, va_list ap)
+ {
+     tifs_io_private *tiffio = (tifs_io_private *)client_data;
+-    gx_device_printer *pdev = tiffio->pdev;    
++    gx_device_printer *pdev = tiffio->pdev;
+     int count;
+     char buf[TIFF_PRINT_BUF_LENGTH];
+ 
+@@ -190,7 +192,7 @@ static void
+ gs_tifsErrorHandlerEx(thandle_t client_data, const char* module, const char* fmt, va_list ap)
+ {
+     tifs_io_private *tiffio = (tifs_io_private *)client_data;
+-    gx_device_printer *pdev = tiffio->pdev;    
++    gx_device_printer *pdev = tiffio->pdev;
+     const char *max_size_error = "Maximum TIFF file size exceeded";
+     int count;
+     char buf[TIFF_PRINT_BUF_LENGTH];
+@@ -242,7 +244,7 @@ TIFFOpen(const char* name, const char* mode)
+ {
+     (void)name;
+     (void)mode;
+-    
++
+     return(NULL);
+ }
+ 
+diff --git a/devices/gdevtifs.c b/devices/gdevtifs.c
+index de30a934b..6b5ff41a4 100644
+--- a/devices/gdevtifs.c
++++ b/devices/gdevtifs.c
+@@ -74,7 +74,7 @@ tiff_close(gx_device * pdev)
+     gx_device_tiff *const tfdev = (gx_device_tiff *)pdev;
+ 
+     if (tfdev->tif)
+-        TIFFCleanup(tfdev->tif);
++        TIFFClose(tfdev->tif);
+ 
+     if (tfdev->icclink != NULL)
+     {
+diff --git a/devices/gdevtsep.c b/devices/gdevtsep.c
+index 5142d0d0c..2b14c4e90 100644
+--- a/devices/gdevtsep.c
++++ b/devices/gdevtsep.c
+@@ -1813,7 +1813,7 @@ tiffsep_close_sep_file(tiffsep_device *tfdev, const char *fn, int comp_num)
+     int code;
+ 
+     if (tfdev->tiff[comp_num]) {
+-        TIFFCleanup(tfdev->tiff[comp_num]);
++        TIFFClose(tfdev->tiff[comp_num]);
+         tfdev->tiff[comp_num] = NULL;
+     }
+ 
+@@ -1832,7 +1832,7 @@ tiffsep_close_comp_file(tiffsep_device *tfdev, const char *fn)
+     int code;
+ 
+     if (tfdev->tiff_comp) {
+-        TIFFCleanup(tfdev->tiff_comp);
++        TIFFClose(tfdev->tiff_comp);
+         tfdev->tiff_comp = NULL;
+     }
+ 
+@@ -2577,9 +2577,7 @@ cleanup:
+             }
+         }
+         TIFFWriteDirectory(tfdev->tiff_comp);
+-        if (fmt) {
+-            code = tiffsep_close_comp_file(tfdev, pdev->fname);
+-        }
++        code = tiffsep_close_comp_file(tfdev, pdev->fname);
+         if (code1 < 0) {
+             code = code1;
+         }
+-- 
+2.33.0
+

ghostscript.spec

@@ -9,7 +9,7 @@
 
 Name:             ghostscript
 Version:          9.52
-Release:          17
+Release:          23
 Summary:          An interpreter for PostScript and PDF files
 License:          AGPLv3+
 URL:              https://ghostscript.com/
@@ -61,6 +61,16 @@ Patch42:  fix-CVE-2024-33870.patch
 Patch43: backport-CVE-2024-29508.patch
 Patch44:  fix-CVE-2024-33871.patch
 Patch45:  backport-CVE-2024-46953.patch
+Patch46:  backport-CVE-2024-46956.patch
+Patch47:  backport-CVE-2024-46955.patch
+Patch48:  backport-CVE-2024-46951.patch
+Patch49:  backport-CVE-2025-27830.patch
+Patch50:  backport-CVE-2025-27832.patch
+Patch51:  backport-CVE-2025-27835.patch
+Patch52:  backport-CVE-2025-27836.patch
+Patch53:  backport-Fix-memory-leak-in-pdfwrite-device.patch
+Patch54:  backport-Fix-memory-leak-on-error-in-bitmap_paint-and-its-cal.patch
+Patch55:  backport-Fix-memory-leaks-in-tiffsep.patch
 
 BuildRequires:    automake gcc
 BuildRequires:    adobe-mappings-cmap-devel adobe-mappings-pdf-devel
@@ -221,6 +231,45 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
 %{_bindir}/dvipdf
 
 %changelog
+* Thu Apr 17 2025 hugel <gengqihu2@h-partners.com> - 9.52-23
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:Sync some patches from community
+       backport-Fix-memory-leak-in-pdfwrite-device.patch
+       backport-Fix-memory-leak-on-error-in-bitmap_paint-and-its-cal.patch
+       backport-Fix-memory-leaks-in-tiffsep.patch
+
+* Tue Apr 01 2025 Funda Wang <fundawang@yeah.net> - 9.52-22
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DECS: Fix CVE-2025-27830
+
+* Thu Mar 27 2025 Funda Wang <fundawang@yeah.net> - 9.52-21
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DECS: Fix CVE-2025-27832, CVE-2025-27835, CVE-2025-27836
+
+* Fri Nov 01 2024 liningjie <liningjie@xfusion.com> - 9.52-20
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DECS: Fix CVE-2024-46951
+
+* Wed Oct 30 2024 liningjie <liningjie@xfusion.com> - 9.52-19
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DECS: Fix CVE-2024-46955
+
+* Fri Oct 25 2024 liningjie <liningjie@xfusion.com> - 9.52-18
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DECS: Fix CVE-2024-46956
+
 * Fri Oct 25 2024 liningjie <liningjie@xfusion.com> - 9.52-17
 - Type:CVE
 - ID:NA