--- /dev/null
+--- xpdf/Catalog.cc.orig
++++ xpdf/Catalog.cc
+@@ -13,6 +13,7 @@
+ #endif
+
+ #include <stddef.h>
++#include <limits.h>
+ #include "gmem.h"
+ #include "Object.h"
+ #include "XRef.h"
+@@ -64,10 +65,8 @@
+ }
+ pagesSize = numPages0 = (int)obj.getNum();
+ obj.free();
+- // The gcc doesnt optimize this away, so this check is ok,
+- // even if it looks like a pagesSize != pagesSize check
+- if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize ||
+- pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) {
++ if (pagesSize >= INT_MAX/sizeof(Page *) ||
++ pagesSize >= INT_MAX/sizeof(Ref)) {
+ error(-1, "Invalid 'pagesSize'");
+ ok = gFalse;
+ return;
+@@ -200,8 +199,8 @@
+ }
+ if (start >= pagesSize) {
+ pagesSize += 32;
+- if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize ||
+- pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) {
++ if (pagesSize >= INT_MAX/sizeof(Page *) ||
++ pagesSize >= INT_MAX/sizeof(Ref)) {
+ error(-1, "Invalid 'pagesSize' parameter.");
+ goto err3;
+ }
+--- xpdf/XRef.cc.orig
++++ xpdf/XRef.cc
+@@ -16,6 +16,7 @@
+ #include <stddef.h>
+ #include <string.h>
+ #include <ctype.h>
++#include <limits.h>
+ #include "gmem.h"
+ #include "Object.h"
+ #include "Stream.h"
+@@ -110,7 +111,7 @@
+ goto err1;
+ }
+
+- if (nObjects*(int)sizeof(int)/sizeof(int) != nObjects) {
++ if (nObjects >= INT_MAX/sizeof(int)) {
+ error(-1, "Invalid 'nObjects'");
+ goto err1;
+ }
+@@ -138,8 +139,7 @@
+ offsets[i] = obj2.getInt();
+ obj1.free();
+ obj2.free();
+- if (objNums[i] < 0 || offsets[i] < 0 ||
+- (i > 0 && offsets[i] < offsets[i-1])) {
++ if (objNums[i]<0 || offsets[i]<0 || (i>0 && offsets[i]<offsets[i-1])) {
+ delete parser;
+ gfree(offsets);
+ goto err1;
+@@ -393,7 +393,7 @@
+ if (newSize < 0) {
+ goto err1;
+ }
+- if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
++ if (newSize >= INT_MAX/sizeof(XRefEntry)) {
+ error(-1, "Invalid 'obj' parameters'");
+ goto err1;
+ }
+@@ -503,7 +503,7 @@
+ goto err1;
+ }
+ if (newSize > size) {
+- if (newSize * (int)sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
++ if (newSize >= INT_MAX/sizeof(XRefEntry)) {
+ error(-1, "Invalid 'size' parameter.");
+ return gFalse;
+ }
+@@ -597,7 +597,7 @@
+ if (newSize < 0) {
+ return gFalse;
+ }
+- if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
++ if (newSize >= INT_MAX/sizeof(XRefEntry)) {
+ error(-1, "Invalid 'size' inside xref table.");
+ return gFalse;
+ }
+@@ -736,7 +736,7 @@
+ error(-1, "Bad object number");
+ return gFalse;
+ }
+- if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
++ if (newSize >= INT_MAX/sizeof(XRefEntry)) {
+ error(-1, "Invalid 'obj' parameters.");
+ return gFalse;
+ }
+@@ -763,7 +763,7 @@
+ } else if (!strncmp(p, "endstream", 9)) {
+ if (streamEndsLen == streamEndsSize) {
+ streamEndsSize += 64;
+- if (streamEndsSize*(int)sizeof(int)/sizeof(int) != streamEndsSize) {
++ if (streamEndsSize >= INT_MAX/sizeof(int)) {
+ error(-1, "Invalid 'endstream' parameter.");
+ return gFalse;
+ }
--- /dev/null
+--- xpdf/gpdf-control.cc.orig
++++ xpdf/gpdf-control.cc
+@@ -209,12 +209,12 @@
+ const gchar * status)
+ {
+ GPdfControlPrivate *priv;
+- guint to_id;
++ gulong to_id;
+
+ g_return_if_fail (GPDF_IS_NON_NULL_CONTROL (control));
+ priv = control->priv;
+
+- if ((to_id = (unsigned int)
++ if ((to_id = (gulong)
+ g_object_get_data (G_OBJECT (control),
+ "status-timeout-id")) != 0) {
+ g_object_set_data (G_OBJECT (control),
--- /dev/null
+diff -u -p -Nr --exclude CVS xpdf/JBIG2Stream.cc xpdf/JBIG2Stream.cc
+--- xpdf/JBIG2Stream.cc 2004-05-17 20:11:43.000000000 +0200
++++ xpdf/JBIG2Stream.cc 2005-12-15 13:38:04.000000000 +0100
+@@ -7,6 +7,7 @@
+ //========================================================================
+
+ #include <aconf.h>
++#include <limits.h>
+
+ #ifdef USE_GCC_PRAGMAS
+ #pragma implementation
+@@ -681,7 +682,14 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA,
+ w = wA;
+ h = hA;
+ line = (wA + 7) >> 3;
+- data = (Guchar *)gmalloc(h * line);
++
++ if (h < 0 || line <= 0 || h >= (INT_MAX-1) / line)
++ data = NULL;
++ else {
++ // need to allocate one extra guard byte for use in combine()
++ data = (Guchar *)gmalloc(h * line + 1);
++ data[h * line] = 0;
++ }
+ }
+
+ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):
+@@ -690,8 +698,16 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA,
+ w = bitmap->w;
+ h = bitmap->h;
+ line = bitmap->line;
+- data = (Guchar *)gmalloc(h * line);
++
++ if (h < 0 || line <= 0 || h >= (INT_MAX-1) / line) {
++ data = NULL;
++ return;
++ }
++
++ data = (Guchar *)gmalloc(h * line + 1);
++
+ memcpy(data, bitmap->data, h * line);
++ data[h * line] = 0;
+ }
+
+ JBIG2Bitmap::~JBIG2Bitmap() {
+@@ -716,10 +732,10 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint
+ }
+
+ void JBIG2Bitmap::expand(int newH, Guint pixel) {
+- if (newH <= h) {
++ if (newH <= h || line <= 0 || newH >= (INT_MAX-1) / line) {
+ return;
+ }
+- data = (Guchar *)grealloc(data, newH * line);
++ data = (Guchar *)grealloc(data, newH * line + 1);
+ if (pixel) {
+ memset(data + h * line, 0xff, (newH - h) * line);
+ } else {
+@@ -2256,6 +2272,16 @@ void JBIG2Stream::readHalftoneRegionSeg(
+ error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
+ return;
+ }
++
++ if (gridH == 0 || gridW >= INT_MAX / gridH) {
++ error(getPos(), "Bad size in JBIG2 halftone segment");
++ return;
++ }
++ if (w == 0 || h >= INT_MAX / w) {
++ error(getPos(), "Bad size in JBIG2 bitmap segment");
++ return;
++ }
++
+ patternDict = (JBIG2PatternDict *)seg;
+ bpp = 0;
+ i = 1;
+@@ -2887,6 +2913,9 @@ JBIG2Bitmap *JBIG2Stream::readGenericRef
+ JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2;
+ int x, y, pix;
+
++ if (w < 0 || h <= 0 || w >= INT_MAX / h)
++ return NULL;
++
+ bitmap = new JBIG2Bitmap(0, w, h);
+ bitmap->clearToZero();
+
+diff -u -p -Nr --exclude CVS xpdf/JPXStream.cc xpdf/JPXStream.cc
+--- xpdf/JPXStream.cc 2004-05-17 20:11:49.000000000 +0200
++++ xpdf/JPXStream.cc 2005-12-15 13:23:59.000000000 +0100
+@@ -7,6 +7,7 @@
+ //========================================================================
+
+ #include <aconf.h>
++#include <limits.h>
+
+ #ifdef USE_GCC_PRAGMAS
+ #pragma implementation
+@@ -666,7 +667,7 @@ GBool JPXStream::readCodestream(Guint le
+ int segType;
+ GBool haveSIZ, haveCOD, haveQCD, haveSOT;
+ Guint precinctSize, style;
+- Guint segLen, capabilities, comp, i, j, r;
++ Guint segLen, capabilities, nTiles, comp, i, j, r;
+
+ //----- main header
+ haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
+@@ -701,7 +702,19 @@ GBool JPXStream::readCodestream(Guint le
+ / img.xTileSize;
+ img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
+ / img.yTileSize;
+- img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
++ // check for overflow before allocating memory
++ if (img.nXTiles <= 0 || img.nYTiles <= 0 ||
++ img.nXTiles >= INT_MAX/img.nYTiles) {
++ error(getPos(), "Bad tile count in JPX SIZ marker segment");
++ return gFalse;
++ }
++ nTiles = img.nXTiles * img.nYTiles;
++ // check for overflow before allocating memory
++ if (nTiles == 0 || nTiles >= INT_MAX/sizeof(JPXTile)) {
++ error(getPos(), "Bad tile count in JPX SIZ marker segment");
++ return gFalse;
++ }
++ img.tiles = (JPXTile *)gmalloc(nTiles *
+ sizeof(JPXTile));
+ for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
+ img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps *
+diff -u -p -Nr --exclude CVS xpdf/Stream.cc xpdf/Stream.cc
+--- xpdf/Stream.cc 2004-05-17 21:37:57.000000000 +0200
++++ xpdf/Stream.cc 2005-12-15 13:40:45.000000000 +0100
+@@ -15,6 +15,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <stddef.h>
++#include <limits.h>
+ #ifndef WIN32
+ #include <unistd.h>
+ #endif
+@@ -407,18 +408,41 @@ void ImageStream::skipLine() {
+
+ StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
+ int widthA, int nCompsA, int nBitsA) {
++ int totalBits;
++
+ str = strA;
+ predictor = predictorA;
+ width = widthA;
+ nComps = nCompsA;
+ nBits = nBitsA;
++ predLine = NULL;
++ ok = gFalse;
+
++ if (width <= 0 || nComps <= 0 || nBits <= 0 ||
++ nComps >= INT_MAX/nBits ||
++ width >= INT_MAX/nComps/nBits) {
++ return;
++ }
+ nVals = width * nComps;
++ if (nVals + 7 <= 0) {
++ return;
++ }
++ totalBits = nVals * nBits;
++ if (totalBits == 0 ||
++ (totalBits / nBits) / nComps != width ||
++ totalBits + 7 < 0) {
++ return;
++ }
+ pixBytes = (nComps * nBits + 7) >> 3;
+- rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
++ rowBytes = ((totalBits + 7) >> 3) + pixBytes;
++ if (rowBytes < 0) {
++ return;
++ }
+ predLine = (Guchar *)gmalloc(rowBytes);
+ memset(predLine, 0, rowBytes);
+ predIdx = rowBytes;
++
++ ok = gTrue;
+ }
+
+ StreamPredictor::~StreamPredictor() {
+@@ -1012,6 +1036,10 @@ LZWStream::LZWStream(Stream *strA, int p
+ FilterStream(strA) {
+ if (predictor != 1) {
+ pred = new StreamPredictor(this, predictor, columns, colors, bits);
++ if (!pred->isOk()) {
++ delete pred;
++ pred = NULL;
++ }
+ } else {
+ pred = NULL;
+ }
+@@ -1260,6 +1288,10 @@ CCITTFaxStream::CCITTFaxStream(Stream *s
+ endOfLine = endOfLineA;
+ byteAlign = byteAlignA;
+ columns = columnsA;
++ if (columns + 4 < 1 || (columns + 4) >= INT_MAX / sizeof(short)) {
++ error(getPos(), "Bad number of columns in CCITTFaxStream");
++ exit(1);
++ }
+ rows = rowsA;
+ endOfBlock = endOfBlockA;
+ black = blackA;
+@@ -2897,6 +2929,11 @@ GBool DCTStream::readBaselineSOF() {
+ height = read16();
+ width = read16();
+ numComps = str->getChar();
++ if (numComps <= 0 || numComps > 4) {
++ numComps = 0;
++ error(getPos(), "Bad number of components in DCT stream", prec);
++ return gFalse;
++ }
+ if (prec != 8) {
+ error(getPos(), "Bad DCT precision %d", prec);
+ return gFalse;
+@@ -2923,6 +2960,11 @@ GBool DCTStream::readProgressiveSOF() {
+ height = read16();
+ width = read16();
+ numComps = str->getChar();
++ if (numComps <= 0 || numComps > 4) {
++ numComps = 0;
++ error(getPos(), "Bad number of components in DCT stream");
++ return gFalse;
++ }
+ if (prec != 8) {
+ error(getPos(), "Bad DCT precision %d", prec);
+ return gFalse;
+@@ -2945,6 +2987,11 @@ GBool DCTStream::readScanInfo() {
+
+ length = read16() - 2;
+ scanInfo.numComps = str->getChar();
++ if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
++ scanInfo.numComps = 0;
++ error(getPos(), "Bad number of components in DCT stream");
++ return gFalse;
++ }
+ --length;
+ if (length != 2 * scanInfo.numComps + 3) {
+ error(getPos(), "Bad DCT scan info block");
+@@ -3019,12 +3066,12 @@ GBool DCTStream::readHuffmanTables() {
+ while (length > 0) {
+ index = str->getChar();
+ --length;
+- if ((index & 0x0f) >= 4) {
++ if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) {
+ error(getPos(), "Bad DCT Huffman table");
+ return gFalse;
+ }
+ if (index & 0x10) {
+- index &= 0x0f;
++ index &= 0x03;
+ if (index >= numACHuffTables)
+ numACHuffTables = index+1;
+ tbl = &acHuffTables[index];
+@@ -3255,6 +3302,10 @@ FlateStream::FlateStream(Stream *strA, i
+ FilterStream(strA) {
+ if (predictor != 1) {
+ pred = new StreamPredictor(this, predictor, columns, colors, bits);
++ if (!pred->isOk()) {
++ delete pred;
++ pred = NULL;
++ }
+ } else {
+ pred = NULL;
+ }
+diff -u -p -Nr --exclude CVS xpdf/Stream.h xpdf/Stream.h
+--- xpdf/Stream.h 2004-05-17 21:37:57.000000000 +0200
++++ xpdf/Stream.h 2005-12-15 13:23:59.000000000 +0100
+@@ -233,6 +233,8 @@ public:
+
+ ~StreamPredictor();
+
++ GBool isOk() { return ok; }
++
+ int lookChar();
+ int getChar();
+
+@@ -250,6 +252,7 @@ private:
+ int rowBytes; // bytes per line
+ Guchar *predLine; // line buffer
+ int predIdx; // current index in predLine
++ GBool ok;
+ };
+
+ //------------------------------------------------------------------------
--- /dev/null
+diff -u -p -Nr --exclude CVS splash/Splash.cc splash/Splash.cc
+--- splash/Splash.cc 2004-05-17 20:10:49.000000000 +0200
++++ splash/Splash.cc 2006-02-04 17:54:51.000000000 +0100
+@@ -734,6 +734,10 @@ void Splash::drawPixel(int x, int y, Spl
+ SplashMono1P *mono1;
+ SplashBGR8P *bgr8;
+
++ if ( (unsigned) x >= (unsigned) bitmap->getWidth() ||
++ (unsigned) y >= (unsigned) bitmap->getHeight())
++ return;
++
+ if (noClip || state->clip->test(x, y)) {
+ color = pattern->getColor(x, y);
+ switch (bitmap->mode) {
+@@ -771,6 +775,11 @@ void Splash::drawSpan(int x0, int x1, in
+ SplashMono1 mask1;
+ int i, j, n;
+
++ if ((unsigned) x0 >= (unsigned) bitmap->getWidth() ||
++ (unsigned) x1 >= (unsigned) bitmap->getWidth() ||
++ (unsigned) y >= (unsigned) bitmap->getHeight())
++ return;
++
+ n = x1 - x0 + 1;
+
+ switch (bitmap->mode) {
+@@ -858,6 +867,11 @@ void Splash::xorSpan(int x0, int x1, int
+
+ n = x1 - x0 + 1;
+
++ if ((unsigned) x0 >= (unsigned) bitmap->getWidth() ||
++ (unsigned) x1 >= (unsigned) bitmap->getWidth() ||
++ (unsigned) y >= (unsigned) bitmap->getHeight())
++ return;
++
+ switch (bitmap->mode) {
+ case splashModeMono1:
+ mono1 = &bitmap->data.mono8[y * bitmap->rowSize + (x0 >> 3)];
--- /dev/null
+diff -u -p -Nr --exclude CVS gpdf-2.8.2.orig/goo/gmem.c gpdf-2.8.2/goo/gmem.c
+--- goo/gmem.c 2003-04-01 21:47:07.000000000 +0200
++++ goo/gmem.c 2006-02-14 09:07:50.000000000 +0100
+@@ -11,6 +11,7 @@
+ #include <stdlib.h>
+ #include <stddef.h>
+ #include <string.h>
++#include <limits.h>
+ #include "gmem.h"
+
+ #ifdef DEBUG_MEM
+@@ -62,7 +63,7 @@ void *gmalloc(int size) {
+ int lst;
+ unsigned long *trl, *p;
+
+- if (size == 0)
++ if (size <= 0)
+ return NULL;
+ size1 = gMemDataSize(size);
+ if (!(mem = (char *)malloc(size1 + gMemHdrSize + gMemTrlSize))) {
+@@ -84,7 +85,7 @@ void *gmalloc(int size) {
+ #else
+ void *p;
+
+- if (size == 0)
++ if (size <= 0)
+ return NULL;
+ if (!(p = malloc(size))) {
+ fprintf(stderr, "Out of memory\n");
+@@ -100,7 +101,7 @@ void *grealloc(void *p, int size) {
+ void *q;
+ int oldSize;
+
+- if (size == 0) {
++ if (size <= 0) {
+ if (p)
+ gfree(p);
+ return NULL;
+@@ -118,7 +119,7 @@ void *grealloc(void *p, int size) {
+ #else
+ void *q;
+
+- if (size == 0) {
++ if (size <= 0) {
+ if (p)
+ free(p);
+ return NULL;
+diff -u -p -Nr --exclude CVS gpdf-2.8.2.orig/splash/SplashXPathScanner.cc gpdf-2.8.2/splash/SplashXPathScanner.cc
+--- splash/SplashXPathScanner.cc 2004-05-17 20:10:56.000000000 +0200
++++ splash/SplashXPathScanner.cc 2006-02-14 08:58:47.000000000 +0100
+@@ -182,7 +182,7 @@ GBool SplashXPathScanner::getNextSpan(in
+ }
+
+ void SplashXPathScanner::computeIntersections(int y) {
+- SplashCoord ySegMin, ySegMax, xx0, xx1;
++ SplashCoord xSegMin, xSegMax, ySegMin, ySegMax, xx0, xx1;
+ SplashXPathSeg *seg;
+ int i, j;
+
+@@ -232,19 +232,27 @@ void SplashXPathScanner::computeIntersec
+ } else if (seg->flags & splashXPathVert) {
+ xx0 = xx1 = seg->x0;
+ } else {
+- if (ySegMin <= y) {
+- // intersection with top edge
+- xx0 = seg->x0 + (y - seg->y0) * seg->dxdy;
++ if (seg->x0 < seg->x1) {
++ xSegMin = seg->x0;
++ xSegMax = seg->x1;
+ } else {
+- // x coord of segment endpoint with min y coord
+- xx0 = (seg->flags & splashXPathFlip) ? seg->x1 : seg->x0;
++ xSegMin = seg->x1;
++ xSegMax = seg->x0;
+ }
+- if (ySegMax >= y + 1) {
+- // intersection with bottom edge
+- xx1 = seg->x0 + (y + 1 - seg->y0) * seg->dxdy;
+- } else {
+- // x coord of segment endpoint with max y coord
+- xx1 = (seg->flags & splashXPathFlip) ? seg->x0 : seg->x1;
++ // intersection with top edge
++ xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy;
++ // intersection with bottom edge
++ xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy;
++ // the segment may not actually extend to the top and/or bottom edges
++ if (xx0 < xSegMin) {
++ xx0 = xSegMin;
++ } else if (xx0 > xSegMax) {
++ xx0 = xSegMax;
++ }
++ if (xx1 < xSegMin) {
++ xx1 = xSegMin;
++ } else if (xx1 > xSegMax) {
++ xx1 = xSegMax;
+ }
+ }
+ if (xx0 < xx1) {
+diff -u -p -Nr --exclude CVS gpdf-2.8.2.orig/xpdf/JBIG2Stream.cc gpdf-2.8.2/xpdf/JBIG2Stream.cc
+--- xpdf/JBIG2Stream.cc 2006-02-14 08:53:37.000000000 +0100
++++ xpdf/JBIG2Stream.cc 2006-02-14 09:16:42.000000000 +0100
+@@ -683,7 +683,7 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA,
+ h = hA;
+ line = (wA + 7) >> 3;
+
+- if (h < 0 || line <= 0 || h >= (INT_MAX-1) / line)
++ if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line)
+ data = NULL;
+ else {
+ // need to allocate one extra guard byte for use in combine()
+@@ -2262,6 +2262,15 @@ void JBIG2Stream::readHalftoneRegionSeg(
+ goto eofError;
+ }
+
++ if (w == 0 || h == 0 || w >= INT_MAX / h) {
++ error(getPos(), "Bad bitmap size in JBIG2 halftone segment");
++ return;
++ }
++ if (gridH == 0 || gridW >= INT_MAX / gridH) {
++ error(getPos(), "Bad grid size in JBIG2 halftone segment");
++ return;
++ }
++
+ // get pattern dictionary
+ if (nRefSegs != 1) {
+ error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
+diff -u -p -Nr --exclude CVS gpdf-2.8.2.orig/xpdf/Stream.h gpdf-2.8.2/xpdf/Stream.h
+--- xpdf/Stream.h 2006-02-14 08:53:37.000000000 +0100
++++ xpdf/Stream.h 2006-02-14 09:26:48.000000000 +0100
+@@ -534,7 +534,7 @@ private:
+ short getWhiteCode();
+ short getBlackCode();
+ short lookBits(int n);
+- void eatBits(int n) { inputBits -= n; }
++ void eatBits(int n) { if ((inputBits -= n) < 0) inputBits = 0; }
+ };
+
+ //------------------------------------------------------------------------
--- /dev/null
+--- gpdf-2.8.2.orig/xpdf/TextOutputDev.h
++++ gpdf-2.8.2/xpdf/TextOutputDev.h
+@@ -166,6 +166,8 @@
+ // TextLine
+ //------------------------------------------------------------------------
+
++class TextBlock;
++
+ class TextLine {
+ public:
+
+@@ -223,6 +225,8 @@
+ // TextBlock
+ //------------------------------------------------------------------------
+
++class TextPage;
++
+ class TextBlock {
+ public:
+
+@@ -342,6 +346,8 @@
+ // TextPage
+ //------------------------------------------------------------------------
+
++class TextLineFrag;
++
+ class TextPage {
+ public:
+
--- /dev/null
+--- gpdf-2.8.2.orig/xpdf/Decrypt.cc
++++ gpdf-2.8.2/xpdf/Decrypt.cc
+@@ -73,6 +73,11 @@
+ Guchar fx, fy;
+ int len, i, j;
+
++ // check whether we have non-zero keyLength
++ if ( !keyLength ) {
++ return gFalse;
++ }
++
+ // try using the supplied owner password to generate the user password
+ *ownerPasswordOk = gFalse;
+ if (ownerPassword) {
+@@ -98,7 +103,7 @@
+ } else {
+ memcpy(test2, ownerKey->getCString(), 32);
+ for (i = 19; i >= 0; --i) {
+- for (j = 0; j < keyLength; ++j) {
++ for (j = 0; j < keyLength && j < 16; ++j) {
+ tmpKey[j] = test[j] ^ i;
+ }
+ rc4InitKey(tmpKey, keyLength, fState);
+@@ -135,6 +140,11 @@
+ int len, i, j;
+ GBool ok;
+
++ // check whether we have non-zero keyLength
++ if ( !keyLength ) {
++ return gFalse;
++ }
++
+ // generate file key
+ buf = (Guchar *)gmalloc(68 + fileID->getLength());
+ if (userPassword) {
+@@ -172,7 +182,7 @@
+ } else if (encRevision == 3) {
+ memcpy(test, userKey->getCString(), 32);
+ for (i = 19; i >= 0; --i) {
+- for (j = 0; j < keyLength; ++j) {
++ for (j = 0; j < keyLength && j < 16; ++j) {
+ tmpKey[j] = fileKey[j] ^ i;
+ }
+ rc4InitKey(tmpKey, keyLength, fState);
--- /dev/null
+--- gpdf-2.8.2.orig/fofi/FoFiTrueType.cc
++++ gpdf-2.8.2/fofi/FoFiTrueType.cc
+@@ -1343,6 +1343,26 @@
+ return;
+ }
+
++ // make sure the loca table is sane (correct length and entries are
++ // in bounds)
++ i = seekTable("loca");
++ if (tables[i].len < (nGlyphs + 1) * (locaFmt ? 4 : 2)) {
++ parsedOk = gFalse;
++ return;
++ }
++ for (j = 0; j <= nGlyphs; ++j) {
++ if (locaFmt) {
++ pos = (int)getU32BE(tables[i].offset + j*4, &parsedOk);
++ } else {
++ pos = getU16BE(tables[i].offset + j*2, &parsedOk);
++ }
++ if (pos < 0 || pos > len) {
++ parsedOk = gFalse;
++ }
++ }
++ if (!parsedOk) {
++ return;
++ }
+ // read the post table
+ readPostTable();
+ if (!parsedOk) {
--- /dev/null
+DESCRIPTION = "Portable Document Format (PDF) viewer"
+LICENSE = "GPL"
+SECTION = "x11/utils"
+
+inherit gnome debian-vampyre
+
+DEPENDS += "gtk+ libgnomeui libbonoboui gnome-vfs gconf gettext libglade \
+ libgnomeprint libgnomeprintui gnome-common"
+
+DSRC_URI += "file://000-checks.patch;patch=1;pnum=0 \
+ file://005-gcc4.patch;patch=1;pnum=0 \
+ file://006_CAN-2005-3191.patch;patch=1;pnum=0 \
+ file://007_CVE-2006-0301.patch;patch=1;pnum=0 \
+ file://008_security_upstream.patch;patch=1;pnum=0 \
+ file://010-forward.patch;patch=1 \
+ file://015-CAN-2005-0064.patch;patch=1 \
+ file://016_CAN-2005-2097-loca-table-sanity.patch;patch=1"
+
+EXTRA_OECONF = "--disable-schemas-install"
+
+do_configure_prepend () {
+ cp ${STAGING_DIR}/${HOST_SYS}/share/gnome-common/data/omf.make ${S}/help
+}