From ae4b352a77b2b3fc0ea1e524c3ef7ae9de02dca5 Mon Sep 17 00:00:00 2001
From: hugel <2712504175@qq.com>
Date: Thu, 17 Apr 2025 14:45:35 +0800
Subject: [PATCH] Sync some patches from community

---
 ...t-Fix-memory-leak-in-pdfwrite-device.patch |  45 ++++++
 ...on-error-in-bitmap_paint-and-its-cal.patch |  67 +++++++++
 backport-Fix-memory-leaks-in-tiffsep.patch    | 139 ++++++++++++++++++
 ghostscript.spec                              |  14 +-
 4 files changed, 264 insertions(+), 1 deletion(-)
 create mode 100644 backport-Fix-memory-leak-in-pdfwrite-device.patch
 create mode 100644 backport-Fix-memory-leak-on-error-in-bitmap_paint-and-its-cal.patch
 create mode 100644 backport-Fix-memory-leaks-in-tiffsep.patch

diff --git a/backport-Fix-memory-leak-in-pdfwrite-device.patch b/backport-Fix-memory-leak-in-pdfwrite-device.patch
new file mode 100644
index 0000000..d5f86e6
--- /dev/null
+++ b/backport-Fix-memory-leak-in-pdfwrite-device.patch
@@ -0,0 +1,45 @@
+From 90f0f92bf6bf9c346cd3f74adaa42a7c8a3702cb Mon Sep 17 00:00:00 2001
+From: Nancy Durgin <nancy.durgin@artifex.com>
+Date: Wed, 22 Jul 2020 12:24:05 -0700
+Subject: [PATCH] Fix memory leak in pdfwrite device
+
+This appears to only be a memory leak for non-garbage-collected interpreters
+such as pdfi.
+
+sclose() calls s_disable() which sets s->cbuf to 0.
+But it also calls client callbacks that might do things with cbuf first, so
+it will crash if we free it before calling sclose().
+Side-effects galore! :(
+
+Anyway, we save the pointer before doing the sclose() so we can
+properly free it afterwards.
+---
+ devices/vector/gdevpdfu.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/devices/vector/gdevpdfu.c b/devices/vector/gdevpdfu.c
+index 2b2af1d32..f58999444 100644
+--- a/devices/vector/gdevpdfu.c
++++ b/devices/vector/gdevpdfu.c
+@@ -1186,6 +1186,7 @@ stream_to_none(gx_device_pdf * pdev)
+         }
+         if (pdev->compression_at_page_start == pdf_compress_Flate) {	/* Terminate the filters. */
+             stream *fs = s->strm;
++            byte *buf;
+ 
+             if (!pdev->binary_ok) {
+                 sclose(s);	/* Terminate the ASCII85 filter. */
+@@ -1194,8 +1195,9 @@ stream_to_none(gx_device_pdf * pdev)
+                 pdev->strm = s = fs;
+                 fs = s->strm;
+             }
++            buf = s->cbuf; /* Save because sclose may zero it out (causing memory leak) */
+             sclose(s);		/* Next terminate the compression filter */
+-            gs_free_object(pdev->pdf_memory, s->cbuf, "zlib buffer");
++            gs_free_object(pdev->pdf_memory, buf, "zlib buffer");
+             gs_free_object(pdev->pdf_memory, s, "zlib stream");
+             pdev->strm = fs;
+         }
+-- 
+2.33.0
+
diff --git a/backport-Fix-memory-leak-on-error-in-bitmap_paint-and-its-cal.patch b/backport-Fix-memory-leak-on-error-in-bitmap_paint-and-its-cal.patch
new file mode 100644
index 0000000..65e2cd0
--- /dev/null
+++ b/backport-Fix-memory-leak-on-error-in-bitmap_paint-and-its-cal.patch
@@ -0,0 +1,67 @@
+From 776cf430dd1a96a7da33c0d33af9a6dd42bffec0 Mon Sep 17 00:00:00 2001
+From: Julian Smith <jules@op59.net>
+Date: Mon, 25 May 2020 11:59:52 +0100
+Subject: [PATCH] Fix memory leak on error in bitmap_paint() and its callers.
+
+Previously, bitmap_paint() would free its 'gs_image_enum * pen' arg, but caller
+image_PaintProc() could also attempt to free this in one error path.
+
+So have changed bitmap_paint() to only free what it allocates - call
+gs_image_cleanup() instead of gs_image_cleanup_and_free_enum(); and patched
+its two callers, mask_PaintProc() and image_PaintProc(), to add calls to
+gs_free_object(pen).
+
+Fixes leak in:
+    MEMENTO_FAILAT=15601 ./ghostpdl/membin/gpcl6 -sDEVICE=pbmraw -o /dev/null tests_private/pcl/pcl5cfts/fts.0954
+---
+ base/gsptype1.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/base/gsptype1.c b/base/gsptype1.c
+index 57c856596..e7f41eac2 100644
+--- a/base/gsptype1.c
++++ b/base/gsptype1.c
+@@ -808,10 +808,10 @@ static int bitmap_paint(gs_image_enum * pen, gs_data_image_t * pim,
+ static int
+ mask_PaintProc(const gs_client_color * pcolor, gs_gstate * pgs)
+ {
++    int code;
+     const pixmap_info *ppmap = gs_getpattern(pcolor)->client_data;
+     const gs_depth_bitmap *pbitmap = &(ppmap->bitmap);
+-    gs_image_enum *pen =
+-    gs_image_enum_alloc(gs_gstate_memory(pgs), "mask_PaintProc");
++    gs_image_enum *pen = gs_image_enum_alloc(gs_gstate_memory(pgs), "mask_PaintProc");
+     gs_image1_t mask;
+ 
+     if (pen == 0)
+@@ -820,7 +820,9 @@ mask_PaintProc(const gs_client_color * pcolor, gs_gstate * pgs)
+     mask.Width = pbitmap->size.x;
+     mask.Height = pbitmap->size.y;
+     gs_image_init(pen, &mask, false, false, pgs);
+-    return bitmap_paint(pen, (gs_data_image_t *) & mask, pbitmap, pgs);
++    code = bitmap_paint(pen, (gs_data_image_t *) & mask, pbitmap, pgs);
++    gs_free_object(gs_gstate_memory(pgs), pen, "mask_PaintProc");
++    return code;
+ }
+ static int
+ image_PaintProc(const gs_client_color * pcolor, gs_gstate * pgs)
+@@ -896,6 +898,7 @@ image_PaintProc(const gs_client_color * pcolor, gs_gstate * pgs)
+                                      (gs_data_image_t *)&image,
+                                      pgs )) >= 0 &&
+         (code = bitmap_paint(pen, (gs_data_image_t *) & image, pbitmap, pgs)) >= 0) {
++        gs_free_object(gs_gstate_memory(pgs), pen, "image_PaintProc");
+         return gs_grestore(pgs);
+     }
+     /* Failed above, need to undo the gsave */
+@@ -922,7 +925,7 @@ bitmap_paint(gs_image_enum * pen, gs_data_image_t * pim,
+     else
+         for (n = pim->Height; n > 0 && code >= 0; dp += raster, --n)
+             code = gs_image_next(pen, dp, nbytes, &used);
+-    code1 = gs_image_cleanup_and_free_enum(pen, pgs);
++    code1 = gs_image_cleanup(pen, pgs);
+     if (code >= 0 && code1 < 0)
+         code = code1;
+     return code;
+-- 
+2.33.0
+
diff --git a/backport-Fix-memory-leaks-in-tiffsep.patch b/backport-Fix-memory-leaks-in-tiffsep.patch
new file mode 100644
index 0000000..51ae76e
--- /dev/null
+++ b/backport-Fix-memory-leaks-in-tiffsep.patch
@@ -0,0 +1,139 @@
+From ba2fdf5517af3bcd8a613fda84c532307d1e7024 Mon Sep 17 00:00:00 2001
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Fri, 29 May 2020 17:22:40 +0100
+Subject: [PATCH] Fix memory leaks in tiffsep.
+
+Calling TIFFCleanup doesn't close the underlying tiffio. Call
+TIFFClose instead.
+
+Now the tiff io close handler is actually called, be careful
+not to close the underlying file twice.
+
+Finally, actually remember to close the comp file.
+---
+ base/gstiffio.c    | 20 +++++++++++---------
+ devices/gdevtifs.c |  2 +-
+ devices/gdevtsep.c |  8 +++-----
+ 3 files changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/base/gstiffio.c b/base/gstiffio.c
+index ff67dc5e5..2ea8c54bd 100644
+--- a/base/gstiffio.c
++++ b/base/gstiffio.c
+@@ -105,11 +105,13 @@ gs_tifsCloseProc(thandle_t fd)
+ {
+     tifs_io_private *tiffio = (tifs_io_private *)fd;
+     gx_device_printer *pdev = tiffio->pdev;
+-    int code = gp_fclose(tiffio->f);
+-    
++
++    /* We don't close tiffio->f as this will be closed later by the
++     * device. */
++
+     gs_free(pdev->memory, tiffio, sizeof(tifs_io_private), 1, "gs_tifsCloseProc");
+ 
+-    return code;
++    return 0;
+ }
+ 
+ static uint64_t
+@@ -122,12 +124,12 @@ gs_tifsSizeProc(thandle_t fd)
+     if (curpos < 0) {
+         return(0);
+     }
+-    
++
+     if (gp_fseek(tiffio->f, (gs_offset_t)0, SEEK_END) < 0) {
+         return(0);
+     }
+     length = (uint64_t)gp_ftell(tiffio->f);
+-    
++
+     if (gp_fseek(tiffio->f, curpos, SEEK_SET) < 0) {
+         return(0);
+     }
+@@ -152,7 +154,7 @@ tiff_from_filep(gx_device_printer *dev,  const char *name, gp_file *filep, int b
+         mode[modelen++] = '8';
+ 
+     mode[modelen] = (char)0;
+-    
++
+     tiffio = (tifs_io_private *)gs_malloc(dev->memory, sizeof(tifs_io_private), 1, "tiff_from_filep");
+     if (!tiffio) {
+         return NULL;
+@@ -173,7 +175,7 @@ static void
+ gs_tifsWarningHandlerEx(thandle_t client_data, const char* module, const char* fmt, va_list ap)
+ {
+     tifs_io_private *tiffio = (tifs_io_private *)client_data;
+-    gx_device_printer *pdev = tiffio->pdev;    
++    gx_device_printer *pdev = tiffio->pdev;
+     int count;
+     char buf[TIFF_PRINT_BUF_LENGTH];
+ 
+@@ -190,7 +192,7 @@ static void
+ gs_tifsErrorHandlerEx(thandle_t client_data, const char* module, const char* fmt, va_list ap)
+ {
+     tifs_io_private *tiffio = (tifs_io_private *)client_data;
+-    gx_device_printer *pdev = tiffio->pdev;    
++    gx_device_printer *pdev = tiffio->pdev;
+     const char *max_size_error = "Maximum TIFF file size exceeded";
+     int count;
+     char buf[TIFF_PRINT_BUF_LENGTH];
+@@ -242,7 +244,7 @@ TIFFOpen(const char* name, const char* mode)
+ {
+     (void)name;
+     (void)mode;
+-    
++
+     return(NULL);
+ }
+ 
+diff --git a/devices/gdevtifs.c b/devices/gdevtifs.c
+index de30a934b..6b5ff41a4 100644
+--- a/devices/gdevtifs.c
++++ b/devices/gdevtifs.c
+@@ -74,7 +74,7 @@ tiff_close(gx_device * pdev)
+     gx_device_tiff *const tfdev = (gx_device_tiff *)pdev;
+ 
+     if (tfdev->tif)
+-        TIFFCleanup(tfdev->tif);
++        TIFFClose(tfdev->tif);
+ 
+     if (tfdev->icclink != NULL)
+     {
+diff --git a/devices/gdevtsep.c b/devices/gdevtsep.c
+index 5142d0d0c..2b14c4e90 100644
+--- a/devices/gdevtsep.c
++++ b/devices/gdevtsep.c
+@@ -1813,7 +1813,7 @@ tiffsep_close_sep_file(tiffsep_device *tfdev, const char *fn, int comp_num)
+     int code;
+ 
+     if (tfdev->tiff[comp_num]) {
+-        TIFFCleanup(tfdev->tiff[comp_num]);
++        TIFFClose(tfdev->tiff[comp_num]);
+         tfdev->tiff[comp_num] = NULL;
+     }
+ 
+@@ -1832,7 +1832,7 @@ tiffsep_close_comp_file(tiffsep_device *tfdev, const char *fn)
+     int code;
+ 
+     if (tfdev->tiff_comp) {
+-        TIFFCleanup(tfdev->tiff_comp);
++        TIFFClose(tfdev->tiff_comp);
+         tfdev->tiff_comp = NULL;
+     }
+ 
+@@ -2577,9 +2577,7 @@ cleanup:
+             }
+         }
+         TIFFWriteDirectory(tfdev->tiff_comp);
+-        if (fmt) {
+-            code = tiffsep_close_comp_file(tfdev, pdev->fname);
+-        }
++        code = tiffsep_close_comp_file(tfdev, pdev->fname);
+         if (code1 < 0) {
+             code = code1;
+         }
+-- 
+2.33.0
+
diff --git a/ghostscript.spec b/ghostscript.spec
index d56c4bd..b1bf3ef 100644
--- a/ghostscript.spec
+++ b/ghostscript.spec
@@ -9,7 +9,7 @@
 
 Name:             ghostscript
 Version:          9.52
-Release:          22
+Release:          23
 Summary:          An interpreter for PostScript and PDF files
 License:          AGPLv3+
 URL:              https://ghostscript.com/
@@ -68,6 +68,9 @@ Patch49:  backport-CVE-2025-27830.patch
 Patch50:  backport-CVE-2025-27832.patch
 Patch51:  backport-CVE-2025-27835.patch
 Patch52:  backport-CVE-2025-27836.patch
+Patch53:  backport-Fix-memory-leak-in-pdfwrite-device.patch
+Patch54:  backport-Fix-memory-leak-on-error-in-bitmap_paint-and-its-cal.patch
+Patch55:  backport-Fix-memory-leaks-in-tiffsep.patch
 
 BuildRequires:    automake gcc
 BuildRequires:    adobe-mappings-cmap-devel adobe-mappings-pdf-devel
@@ -228,6 +231,15 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/
 %{_bindir}/dvipdf
 
 %changelog
+* Thu Apr 17 2025 hugel <gengqihu2@h-partners.com> - 9.52-23
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:Sync some patches from community
+       backport-Fix-memory-leak-in-pdfwrite-device.patch
+       backport-Fix-memory-leak-on-error-in-bitmap_paint-and-its-cal.patch
+       backport-Fix-memory-leaks-in-tiffsep.patch
+
 * Tue Apr 01 2025 Funda Wang <fundawang@yeah.net> - 9.52-22
 - Type:CVE
 - ID:NA
-- 
Gitee