diff --git a/bugfix-for-cve-2025-27834.patch b/bugfix-for-cve-2025-27834.patch
new file mode 100644
index 0000000000000000000000000000000000000000..aaf75db2d619dba863909534dc3ede35b5ea7072
--- /dev/null
+++ b/bugfix-for-cve-2025-27834.patch
@@ -0,0 +1,53 @@
+From 3885f8307726fa7611b39fa1376403406bdbd55c Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Mon, 20 Jan 2025 16:13:46 +0000
+Subject: PDF interpreter - Guard against unsigned int overflow
+
+Bug #708253 - see bug report for details.
+
+CVE-2025-27834
+---
+ pdf/pdf_func.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/pdf/pdf_func.c b/pdf/pdf_func.c
+index 635fdac54..93492c783 100644
+--- a/pdf/pdf_func.c
++++ b/pdf/pdf_func.c
+@@ -153,6 +153,9 @@ pdfi_parse_type4_func_stream(pdf_context *ctx, pdf_c_stream *function_stream, in
+     byte *p = (ops ? ops + *size : NULL);
+ 
+     while (1) {
++        if (*size > max_uint / 2)
++            return gs_note_error(gs_error_VMerror);
++
+         c = pdfi_read_byte(ctx, function_stream);
+         if (c < 0)
+             break;
+@@ -321,6 +324,11 @@ pdfi_build_function_4(pdf_context *ctx, gs_function_params_t * mnDR,
+     if (code < 0)
+         goto function_4_error;
+ 
++    if (size > max_uint - 1) {
++        code = gs_note_error(gs_error_VMerror);
++        goto function_4_error;
++    }
++
+     ops = gs_alloc_string(ctx->memory, size + 1, "pdfi_build_function_4(ops)");
+     if (ops == NULL) {
+         code = gs_error_VMerror;
+@@ -825,6 +833,11 @@ int pdfi_build_halftone_function(pdf_context *ctx, gs_function_t ** ppfn, byte *
+     if (code < 0)
+         goto halftone_function_error;
+ 
++    if (size > max_uint - 1) {
++        code = gs_note_error(gs_error_VMerror);
++        goto halftone_function_error;
++    }
++
+     ops = gs_alloc_string(ctx->memory, size + 1, "pdfi_build_halftone_function(ops)");
+     if (ops == NULL) {
+         code = gs_error_VMerror;
+-- 
+cgit v1.2.3
+
diff --git a/ghostscript.spec b/ghostscript.spec
index f6f1494e95e55897b9f73b957323c031ac16afd2..aebd76858b4f835b320135d133fbaf7cd5f98a02 100644
--- a/ghostscript.spec
+++ b/ghostscript.spec
@@ -1,4 +1,4 @@
-%define anolis_release 2
+%define anolis_release 3
 
 %global _hardened_build 1
 %global _docdir_fmt     %{name}
@@ -74,6 +74,11 @@ Patch7: bugfix-for-cve-2025-27832.patch
 # Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=477e36cfa1f
 Patch8: bugfix-for-cve-2025-27833.patch
 
+# CVE-2025-27834
+# Tracking bug: https://bugs.ghostscript.com/show_bug.cgi?id=708253
+# Upstream fix: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=3885f830772
+Patch9: bugfix-for-cve-2025-27834.patch
+
 %description
 Ghostscript is an interpreter for PostScript® and Portable Document Format (PDF) files.
 
@@ -198,7 +203,6 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
 
 %files -n libgs
 %license LICENSE doc/COPYING
-%dir %{_datadir}/%{name}/conf.d/
 %{_libdir}/libgs.so.*
 %dir %{abidir}
 %{abidir}/*.dump
@@ -268,6 +272,9 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
 
 
 %changelog
+* Sun Apr 27 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 10.03.0-3
+- Fix CVE-2025-27834
+
 * Thu Apr 24 2025 tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> - 10.03.0-2
 - Fix CVE-2025-27833