diff --git a/SOURCES/ghostscript-cope-with-negative-run-length.patch b/SOURCES/ghostscript-cope-with-negative-run-length.patch
new file mode 100644
index 0000000..209a7c2
--- /dev/null
+++ b/SOURCES/ghostscript-cope-with-negative-run-length.patch
@@ -0,0 +1,70 @@
+From ab4d21b69bf0717ac93072d24b076681bdb9b3a4 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Wed, 19 Jun 2013 16:25:17 +0100
+Subject: [PATCH] Bug 693934: CCITT Fax decode - cope with negative run length
+
+In various places in the fax decode code we coped with the run length being
+negative - in just a few we didn't.
+
+We'll now cope gracefully with negative run lengths in places.
+
+No cluster differences.
+---
+ base/scfd.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/base/scfd.c b/base/scfd.c
+index 970c925..5f7f798 100644
+--- a/base/scfd.c
++++ b/base/scfd.c
+@@ -611,6 +611,7 @@ v0:	    skip_bits(1);
+                     rlen, "[w2]", d2l, out0);
+             /* rlen may be run2_pass, run_uncompressed, or */
+             /* 0..countof(cf2_run_vertical)-1. */
++rlen_lt_zero:
+             if (rlen < 0)
+                 switch (rlen) {
+                     case run2_pass:
+@@ -726,6 +727,9 @@ v0:	    skip_bits(1);
+         status = ERRC;
+         goto out;
+     }
++
++    if (rlen < 0) goto rlen_lt_zero;
++
+     skip_data(rlen, hww);
+     /* Handle the second half of a white-black horizontal code. */
+   hwb:get_run(cf_black_decode, cfd_black_initial_bits, cfd_black_min_bits,
+@@ -734,6 +738,9 @@ v0:	    skip_bits(1);
+         status = ERRC;
+         goto out;
+     }
++
++    if (rlen < 0) goto rlen_lt_zero;
++
+     invert_data(rlen, black_byte, goto hwb, ihwb);
+     goto top;
+   outww:ss->run_color = -2;
+@@ -747,6 +754,9 @@ v0:	    skip_bits(1);
+         status = ERRC;
+         goto out;
+     }
++
++    if (rlen < 0) goto rlen_lt_zero;
++
+     invert_data(rlen, black_byte, goto hbb, ihbb);
+     /* Handle the second half of a black-white horizontal code. */
+   hbw:get_run(cf_white_decode, cfd_white_initial_bits, cfd_white_min_bits,
+@@ -755,6 +765,9 @@ v0:	    skip_bits(1);
+         status = ERRC;
+         goto out;
+     }
++
++    if (rlen < 0) goto rlen_lt_zero;
++
+     skip_data(rlen, hbw);
+     goto top;
+   outbb:ss->run_color = 2;
+-- 
+2.9.4
+
diff --git a/SOURCES/ghostscript-raise-VMThreshold-limit.patch b/SOURCES/ghostscript-raise-VMThreshold-limit.patch
new file mode 100644
index 0000000..ad9bfd9
--- /dev/null
+++ b/SOURCES/ghostscript-raise-VMThreshold-limit.patch
@@ -0,0 +1,31 @@
+From 50db943c234cd650e6930b99f3b2cbf675447aa2 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Wed, 17 Apr 2013 09:24:22 +0100
+Subject: [PATCH] Raise the default VMThreshold from 1Mb to 8Mb
+
+This seems like a fair change based on modern hardware and, in particular
+modern PDF files. In some cases this results in a significant speed
+improvement. It may increase overall memory usage, but testing suggests only
+by an insignificant amount in the vast majority of cases.
+
+No cluster differences.
+---
+ psi/zvmem2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/psi/zvmem2.c b/psi/zvmem2.c
+index 53fe44b..13d9b6b 100644
+--- a/psi/zvmem2.c
++++ b/psi/zvmem2.c
+@@ -25,7 +25,7 @@
+ 
+ /* Garbage collector control parameters. */
+ #define DEFAULT_VM_THRESHOLD_SMALL 100000
+-#define DEFAULT_VM_THRESHOLD_LARGE 1000000
++#define DEFAULT_VM_THRESHOLD_LARGE 8000000
+ #define MIN_VM_THRESHOLD 1
+ #define MAX_VM_THRESHOLD max_long
+ 
+-- 
+2.9.4
+
diff --git a/SPECS/ghostscript.spec b/SPECS/ghostscript.spec
index a6338ac..cf7bb87 100644
--- a/SPECS/ghostscript.spec
+++ b/SPECS/ghostscript.spec
@@ -5,7 +5,7 @@ Summary: A PostScript interpreter and renderer
 Name: ghostscript
 Version: %{gs_ver}
 
-Release: 28%{?dist}
+Release: 28%{?dist}.2
 
 # Included CMap data is Redistributable, no modification permitted,
 # see http://bugzilla.redhat.com/487510
@@ -46,6 +46,8 @@ Patch22: ghostscript-cups-icc-profile.patch
 Patch28: ghostscript-handle-glyphdirectory-array.patch
 Patch29: ghostscript-fix-locksafe.patch
 Patch30: ghostscript-fix-infinite-for-loop.patch
+Patch33: ghostscript-cope-with-negative-run-length.patch
+Patch34: ghostscript-raise-VMThreshold-limit.patch
 
 # Security patches:
 # -----------------
@@ -240,6 +242,12 @@ rm -rf expat freetype icclib jasper jpeg lcms lcms2 libpng openjpeg zlib cups/li
 # Fix for corruption of operand stack (bug #1446063):
 %patch32 -p1
 
+# Cope with negative run length in CCITT Fax decode (bug #1473337):
+%patch33 -p1
+
+# Raise the default VMThreshold from 1Mb to 8Mb (bug #1479852):
+%patch34 -p1
+
 # Remove pdfopt man pages which were mistakenly left in (bug #963882).
 rm man/{de/,}pdfopt.1
 
@@ -439,6 +447,12 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/libgs.so
 
 %changelog
+* Tue Aug 22 2017 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.07-28.el7_4.2
+- Raise the default VMThreshold from 1Mb to 8Mb (bug #1479852)
+
+* Tue Jul 25 2017 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.07-28.el7_4.1
+- Fix rare Segmentation fault when converting PDF to PNG (bug #1473337)
+
 * Thu May 11 2017 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.07-28
 - Security fix for CVE-2017-8291 updated to address SIGSEGV