 libs/xpdf/xpdf/Catalog.cc |   11 +++++++++++
 libs/xpdf/xpdf/XRef.cc    |    8 ++++++++
 2 files changed, 19 insertions(+)

Index: tetex-bin-3.0/libs/xpdf/xpdf/Catalog.cc
===================================================================
--- tetex-bin-3.0.orig/libs/xpdf/xpdf/Catalog.cc	2005-10-06 15:03:59.011332464 +0200
+++ tetex-bin-3.0/libs/xpdf/xpdf/Catalog.cc	2005-10-06 15:04:41.153814298 +0200
@@ -64,6 +64,12 @@
   }
   pagesSize = numPages0 = (int)obj.getNum();
   obj.free();
+  if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize ||
+      pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) {
+    error(-1, "Invalid 'pagesSize'");
+    ok = gFalse;
+    return;
+  }
   pages = (Page **)gmalloc(pagesSize * sizeof(Page *));
   pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref));
   for (i = 0; i < pagesSize; ++i) {
@@ -191,6 +197,11 @@
       }
       if (start >= pagesSize) {
 	pagesSize += 32;
+        if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize ||
+	    pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) {
+          error(-1, "Invalid 'pagesSize' parameter.");
+          goto err3;
+        }
 	pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *));
 	pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref));
 	for (j = pagesSize - 32; j < pagesSize; ++j) {
Index: tetex-bin-3.0/libs/xpdf/xpdf/XRef.cc
===================================================================
--- tetex-bin-3.0.orig/libs/xpdf/xpdf/XRef.cc	2005-10-06 15:03:59.011332464 +0200
+++ tetex-bin-3.0/libs/xpdf/xpdf/XRef.cc	2005-10-06 15:04:41.155814083 +0200
@@ -718,6 +718,10 @@
 		    error(-1, "Bad object number");
 		    return gFalse;
 		  }
+		  if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
+		    error(-1, "Invalid 'obj' parameters.");
+		    return gFalse;
+		  }
 		  entries = (XRefEntry *)
 		      grealloc(entries, newSize * sizeof(XRefEntry));
 		  for (i = size; i < newSize; ++i) {
@@ -741,6 +745,10 @@
     } else if (!strncmp(p, "endstream", 9)) {
       if (streamEndsLen == streamEndsSize) {
 	streamEndsSize += 64;
+	if (streamEndsSize*(int)sizeof(int)/sizeof(int) != streamEndsSize) {
+	  error(-1, "Invalid 'endstream' parameter.");
+	  return gFalse;
+	}
 	streamEnds = (Guint *)grealloc(streamEnds,
 				       streamEndsSize * sizeof(int));
       }
