--- tetex-bin-2.0.2-CVS/libs/xpdf/xpdf/Catalog.cc.orig	Mon Nov 22 12:05:47 2004
+++ tetex-bin-2.0.2-CVS/libs/xpdf/xpdf/Catalog.cc	Mon Nov 22 12:04:28 2004
@@ -22,6 +22,7 @@
 #include "Error.h"
 #include "Link.h"
 #include "Catalog.h"
+#include <limits.h>
 
 //------------------------------------------------------------------------
 // Catalog
@@ -63,6 +64,12 @@
   }
   pagesSize = numPages0 = obj.getInt();
   obj.free();
+  if (pagesSize >= INT_MAX/sizeof(Page *) ||
+      pagesSize >= INT_MAX/sizeof(Ref)) {
+    error(-1, "Invalid 'pagesSize'");
+    ok = gFalse;
+    return;
+  }
   pages = (Page **)gmalloc(pagesSize * sizeof(Page *));
   pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref));
   for (i = 0; i < pagesSize; ++i) {
@@ -190,6 +197,11 @@
       }
       if (start >= pagesSize) {
 	pagesSize += 32;
+        if (pagesSize >= INT_MAX/sizeof(Page *) ||
+            pagesSize >= INT_MAX/sizeof(Ref)) {
+          error(-1, "Invalid 'pagesSize' parameter.");
+          goto err3;
+        }
 	pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *));
 	pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref));
 	for (j = pagesSize - 32; j < pagesSize; ++j) {
--- tetex-bin-2.0.2-CVS/libs/xpdf/xpdf/XRef.cc.orig	Mon Nov 22 12:03:53 2004
+++ tetex-bin-2.0.2-CVS/libs/xpdf/xpdf/XRef.cc	Mon Nov 22 12:01:24 2004
@@ -28,6 +28,7 @@
 #include "Error.h"
 #include "ErrorCodes.h"
 #include "XRef.h"
+#include <limits.h>
 
 //------------------------------------------------------------------------
 
@@ -66,6 +67,8 @@
   start = str->getStart();
   pos = readTrailer();
 
+  entries = NULL;
+
   // if there was a problem with the trailer,
   // try to reconstruct the xref table
   if (pos == 0) {
@@ -76,6 +79,12 @@
 
   // trailer is ok - read the xref table
   } else {
+    if (size < 0 || size >= INT_MAX/sizeof(XRefEntry)) {
+      error(-1, "Invalid 'size' inside xref table.");
+      ok = gFalse;
+      errCode = errDamaged;
+      return;
+    }
     entries = (XRefEntry *)gmalloc(size * sizeof(XRefEntry));
     for (i = 0; i < size; ++i) {
       entries[i].offset = 0xffffffff;
@@ -175,7 +184,7 @@
     n = atoi(p);
     while ('0' <= *p && *p <= '9') ++p;
     while (isspace(*p)) ++p;
-    if (p == buf)
+    if ((p == buf) || (n < 0)) /* must make progress */
       return 0;
     pos1 += (p - buf) + n * 20;
   }
@@ -249,6 +258,10 @@
     }
     s[i] = '\0';
     first = atoi(s);
+    if (first < 0) {
+        error(-1, "Invalid 'first'");
+        goto err2;
+    }
     while ((c = str->lookChar()) != EOF && isspace(c)) {
       str->getChar();
     }
@@ -260,6 +273,10 @@
     }
     s[i] = '\0';
     n = atoi(s);
+    if (n<=0) {
+        error(-1, "Invalid 'n'");
+        goto err2;
+    }
     while ((c = str->lookChar()) != EOF && isspace(c)) {
       str->getChar();
     }
@@ -267,6 +284,10 @@
     // table size
     if (first + n > size) {
       newSize = size + 256;
+      if (newSize < 0 || newSize >= INT_MAX/sizeof(XRefEntry)) {
+        error(-1, "Invalid 'newSize'");
+        goto err2;
+      }
       entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
       for (i = size; i < newSize; ++i) {
 	entries[i].offset = 0xffffffff;
@@ -391,6 +412,10 @@
     // look for object
     } else if (isdigit(*p)) {
       num = atoi(p);
+      if (num < 0) {
+	error(-1, "Invalid 'num' parameters.");
+	return gFalse;
+      }
       do {
 	++p;
       } while (*p && isdigit(*p));
@@ -410,6 +435,10 @@
 	    if (!strncmp(p, "obj", 3)) {
 	      if (num >= size) {
 		newSize = (num + 1 + 255) & ~255;
+	        if (newSize < 0 || newSize >= INT_MAX/sizeof(XRefEntry)) {
+	          error(-1, "Invalid 'obj' parameters.");
+	          return gFalse;
+	        }
 		entries = (XRefEntry *)
 		            grealloc(entries, newSize * sizeof(XRefEntry));
 		for (i = size; i < newSize; ++i) {
@@ -431,6 +460,11 @@
     } else if (!strncmp(p, "endstream", 9)) {
       if (streamEndsLen == streamEndsSize) {
 	streamEndsSize += 64;
+        if (streamEndsSize >= INT_MAX/sizeof(int)) {
+          error(-1, "Invalid 'endstream' parameter.");
+          return gFalse;
+        }
+
 	streamEnds = (Guint *)grealloc(streamEnds,
 				       streamEndsSize * sizeof(int));
       }
--- tetex-bin-2.0.2-CVS/libs/xpdf/goo/gmem.c.orig	Mon Nov 22 12:04:04 2004
+++ tetex-bin-2.0.2-CVS/libs/xpdf/goo/gmem.c	Mon Nov 22 12:01:24 2004
@@ -53,9 +53,9 @@
 
 #endif /* DEBUG_MEM */
 
-void *gmalloc(int size) {
+void *gmalloc(size_t size) {
 #ifdef DEBUG_MEM
-  int size1;
+  size_t size1;
   char *mem;
   GMemHdr *hdr;
   void *data;
@@ -94,11 +94,11 @@
 #endif
 }
 
-void *grealloc(void *p, int size) {
+void *grealloc(void *p, size_t size) {
 #ifdef DEBUG_MEM
   GMemHdr *hdr;
   void *q;
-  int oldSize;
+  size_t oldSize;
 
   if (size == 0) {
     if (p)
@@ -137,7 +137,7 @@
 
 void gfree(void *p) {
 #ifdef DEBUG_MEM
-  int size;
+  size_t size;
   GMemHdr *hdr;
   GMemHdr *prevHdr, *q;
   int lst;
--- tetex-bin-2.0.2-CVS/libs/xpdf/goo/gmem.h.orig	Mon Nov 22 12:04:06 2004
+++ tetex-bin-2.0.2-CVS/libs/xpdf/goo/gmem.h	Mon Nov 22 12:01:24 2004
@@ -19,13 +19,13 @@
  * Same as malloc, but prints error message and exits if malloc()
  * returns NULL.
  */
-extern void *gmalloc(int size);
+extern void *gmalloc(size_t size);
 
 /*
  * Same as realloc, but prints error message and exits if realloc()
  * returns NULL.  If <p> is NULL, calls malloc instead of realloc().
  */
-extern void *grealloc(void *p, int size);
+extern void *grealloc(void *p, size_t size);
 
 /*
  * Same as free, but checks for and ignores NULL pointers.