$NetBSD: patch-ak,v 1.1.1.1 2005/03/31 22:09:18 hubertf Exp $

--- libs/xpdf/xpdf/XRef.cc.orig	2005-01-19 12:09:57.000000000 +0000
+++ libs/xpdf/xpdf/XRef.cc
@@ -28,6 +28,7 @@
 #include "Error.h"
 #include "ErrorCodes.h"
 #include "XRef.h"
+#include <limits.h>
 
 //------------------------------------------------------------------------
 
@@ -388,6 +389,10 @@ GBool XRef::readXRefTable(Parser *parser
       if (newSize < 0) {
 	goto err1;
       }
+      if (newSize >= INT_MAX/sizeof(XRefEntry)) {
+        error(-1, "Invalid 'newSize'");
+	goto err1;
+      }
       entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
       for (i = size; i < newSize; ++i) {
 	entries[i].offset = 0xffffffff;
@@ -493,6 +498,10 @@ GBool XRef::readXRefStream(Stream *xrefS
     goto err1;
   }
   if (newSize > size) {
+    if (newSize >= INT_MAX/sizeof(XRefEntry)) {
+      error(-1, "Invalid 'newSize'");
+      goto err1;
+    }
     entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
     for (i = size; i < newSize; ++i) {
       entries[i].offset = 0xffffffff;
@@ -583,6 +592,10 @@ GBool XRef::readXRefStreamSection(Stream
     if (newSize < 0) {
       return gFalse;
     }
+    if (newSize >= INT_MAX / sizeof(XRefEntry)) {
+      error(-1, "Invalid 'obj' parameters.");
+      return gFalse;
+    }
     entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
     for (i = size; i < newSize; ++i) {
       entries[i].offset = 0xffffffff;
@@ -718,6 +731,10 @@ GBool XRef::constructXRef() {
 		    error(-1, "Bad object number");
 		    return gFalse;
 		  }
+	          if (newSize >= INT_MAX / sizeof(XRefEntry)) {
+	            error(-1, "Invalid 'newSize' parameters.");
+	            return gFalse;
+	          }
 		  entries = (XRefEntry *)
 		      grealloc(entries, newSize * sizeof(XRefEntry));
 		  for (i = size; i < newSize; ++i) {
@@ -741,6 +758,10 @@ GBool XRef::constructXRef() {
     } else if (!strncmp(p, "endstream", 9)) {
       if (streamEndsLen == streamEndsSize) {
 	streamEndsSize += 64;
+  	if (streamEndsSize >= INT_MAX/sizeof(int)) {
+  	  error(-1, "Invalid 'streamEndSize' parameter.");
+  	  return gFalse;
+  	}
 	streamEnds = (Guint *)grealloc(streamEnds,
 				       streamEndsSize * sizeof(int));
       }
