$NetBSD: patch-aj,v 1.1.1.1 2005/03/31 22:09:18 hubertf Exp $

--- libs/xpdf/xpdf/Catalog.cc.orig	2004-01-22 01:26:45.000000000 +0000
+++ libs/xpdf/xpdf/Catalog.cc
@@ -22,6 +22,7 @@
 #include "Error.h"
 #include "Link.h"
 #include "Catalog.h"
+#include <limits.h>
 
 //------------------------------------------------------------------------
 // Catalog
@@ -64,6 +65,12 @@ Catalog::Catalog(XRef *xrefA) {
   }
   pagesSize = numPages0 = (int)obj.getNum();
   obj.free();
+  if ((pagesSize >= INT_MAX / sizeof(Page *)) ||
+      (pagesSize >= INT_MAX / sizeof(Ref))) {
+    error(-1, "Invalid 'pagesSize'");
+    ok = gFalse;
+    return;
+  }
   pages = (Page **)gmalloc(pagesSize * sizeof(Page *));
   pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref));
   for (i = 0; i < pagesSize; ++i) {
@@ -191,6 +198,11 @@ int Catalog::readPageTree(Dict *pagesDic
       }
       if (start >= pagesSize) {
 	pagesSize += 32;
+	if ((pagesSize >= INT_MAX/sizeof(Page *)) ||
+	    (pagesSize >= INT_MAX/sizeof(Ref))) {
+	  error(-1, "Invalid 'pagesSize' parameter.");
+	  goto err3;
+	}
 	pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *));
 	pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref));
 	for (j = pagesSize - 32; j < pagesSize; ++j) {