$NetBSD: patch-ai,v 1.1 2006/01/24 21:51:36 tron Exp $

--- libs/xpdf/xpdf/JBIG2Stream.cc.orig	2004-01-22 01:26:45.000000000 +0000
+++ libs/xpdf/xpdf/JBIG2Stream.cc	2006-01-24 18:51:43.000000000 +0000
@@ -7,6 +7,7 @@
 //========================================================================
 
 #include <aconf.h>
+#include <limits.h>
 
 #ifdef USE_GCC_PRAGMAS
 #pragma implementation
@@ -681,7 +682,13 @@
   w = wA;
   h = hA;
   line = (wA + 7) >> 3;
-  data = (Guchar *)gmalloc(h * line);
+
+  if (h < 0 || line <= 0 || h >= INT_MAX / line) {
+    data = NULL;
+  }
+  else {
+    data = (Guchar *)gmalloc(h * line);
+  }
 }
 
 JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):
@@ -690,6 +697,12 @@
   w = bitmap->w;
   h = bitmap->h;
   line = bitmap->line;
+
+  if (h < 0 || line <= 0 || h >= INT_MAX / line) {
+    data = NULL;
+    return;
+  }
+
   data = (Guchar *)gmalloc(h * line);
   memcpy(data, bitmap->data, h * line);
 }
@@ -716,7 +729,7 @@
 }
 
 void JBIG2Bitmap::expand(int newH, Guint pixel) {
-  if (newH <= h) {
+  if (newH <= h || line <= 0 || newH >= INT_MAX / line) {
     return;
   }
   data = (Guchar *)grealloc(data, newH * line);
@@ -2256,6 +2269,15 @@
     error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
     return;
   }
+  if (gridH == 0 || gridW >= INT_MAX / gridH) {
+    error(getPos(), "Bad size in JBIG2 halftone segment");
+    return;
+  }
+  if (w == 0 || h >= INT_MAX / w) {
+     error(getPos(), "Bad size in JBIG2 bitmap segment");
+    return;
+  }
+
   patternDict = (JBIG2PatternDict *)seg;
   bpp = 0;
   i = 1;
@@ -2887,6 +2909,9 @@
   JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2;
   int x, y, pix;
 
+  if (w < 0 || h <= 0 || w >= INT_MAX / h)
+    return NULL;
+
   bitmap = new JBIG2Bitmap(0, w, h);
   bitmap->clearToZero();