$NetBSD: patch-ag,v 1.1 2006/01/24 21:51:36 tron Exp $

--- libs/xpdf/xpdf/JPXStream.cc.orig	2004-01-22 01:26:45.000000000 +0000
+++ libs/xpdf/xpdf/JPXStream.cc	2006-01-24 18:32:17.000000000 +0000
@@ -7,6 +7,7 @@
 //========================================================================
 
 #include <aconf.h>
+#include <limits.h>
 
 #ifdef USE_GCC_PRAGMAS
 #pragma implementation
@@ -666,7 +667,7 @@
   int segType;
   GBool haveSIZ, haveCOD, haveQCD, haveSOT;
   Guint precinctSize, style;
-  Guint segLen, capabilities, comp, i, j, r;
+  Guint segLen, capabilities, nTiles, comp, i, j, r;
 
   //----- main header
   haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
@@ -701,8 +702,14 @@
 	            / img.xTileSize;
       img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
 	            / img.yTileSize;
-      img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
-				     sizeof(JPXTile));
+      // check for overflow before allocating memory
+      if (img.nXTiles <= 0 || img.nYTiles <= 0 || 
+              img.nXTiles >= INT_MAX/img.nYTiles) {
+          error(getPos(), "Bad tile count in JPX SIZ marker segment");
+          return gFalse;
+      }
+      nTiles = img.nXTiles * img.nYTiles;
+      img.tiles = (JPXTile *)gmalloc(nTiles * sizeof(JPXTile));
       for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
 	img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps *
 							sizeof(JPXTileComp));