--- kpdf/xpdf/Catalog.cc	2003/08/20 21:25:12	1.3
+++ kpdf/xpdf/Catalog.cc	2004/10/28 09:42:53	1.3.4.4
@@ -12,6 +12,7 @@
 #pragma implementation
 #endif
 
+#include <limits.h>
 #include <stddef.h>
 #include "gmem.h"
 #include "Object.h"
@@ -56,13 +57,22 @@ Catalog::Catalog(XRef *xrefA) {
     goto err2;
   }
   pagesDict.dictLookup("Count", &obj);
-  if (!obj.isInt()) {
+  // some PDF files actually use real numbers here ("/Count 9.0")
+  if (!obj.isNum()) {
     error(-1, "Page count in top-level pages object is wrong type (%s)",
 	  obj.getTypeName());
     goto err3;
   }
-  pagesSize = numPages0 = obj.getInt();
+  pagesSize = numPages0 = (int)obj.getNum();
   obj.free();
+  if (((unsigned) pagesSize >= INT_MAX / sizeof(Page *)) ||
+      ((unsigned) pagesSize >= INT_MAX / sizeof(Ref)))
+  {
+    error(-1, "Invalid 'pagesSize'");
+    ok = gFalse;
+    return;
+  }
+
   pages = (Page **)gmalloc(pagesSize * sizeof(Page *));
   pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref));
   for (i = 0; i < pagesSize; ++i) {
@@ -190,6 +200,11 @@ int Catalog::readPageTree(Dict *pagesDic
       }
       if (start >= pagesSize) {
 	pagesSize += 32;
+        if ((unsigned) pagesSize >= INT_MAX / sizeof(Page*) ||
+            (unsigned) pagesSize >= INT_MAX / sizeof(Ref)) {
+          error(-1, "Invalid 'pagesSize' parameter.");
+          goto err3;
+        }
 	pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *));
 	pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref));
 	for (j = pagesSize - 32; j < pagesSize; ++j) {
@@ -307,8 +322,8 @@ Object *Catalog::findDestInTree(Object *
 	} else if (cmp < 0) {
 	  done = gTrue;
 	}
-	name1.free();
       }
+      name1.free();
     }
     names.free();
     if (!found)

--- kpdf/xpdf/XRef.cc.orig	2004-11-04 13:08:50.000000000 +0100
+++ kpdf/xpdf/XRef.cc	2004-11-04 13:14:50.000000000 +0100
@@ -12,6 +12,7 @@
 #pragma implementation
 #endif
 
+#include <limits.h>
 #include <stdlib.h>
 #include <stddef.h>
 #include <string.h>
@@ -76,6 +77,12 @@
 
   // trailer is ok - read the xref table
   } else {
+    if ((unsigned) size >= INT_MAX / sizeof(XRefEntry)) {
+      error(-1, "Invalid 'size' inside xref table.");
+      ok = gFalse;
+      errCode = errDamaged;
+      return;
+    }
     entries = (XRefEntry *)gmalloc(size * sizeof(XRefEntry));
     for (i = 0; i < size; ++i) {
       entries[i].offset = 0xffffffff;
@@ -267,6 +274,10 @@
     // table size
     if (first + n > size) {
       newSize = size + 256;
+      if ((unsigned) newSize >= INT_MAX / sizeof(XRefEntry)) {
+        error(-1, "Invalid 'newSize'");
+        goto err2;
+      }
       entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
       for (i = size; i < newSize; ++i) {
 	entries[i].offset = 0xffffffff;
@@ -415,6 +426,10 @@
 	    if (!strncmp(p, "obj", 3)) {
 	      if (num >= size) {
 		newSize = (num + 1 + 255) & ~255;
+	        if ((unsigned) newSize >= INT_MAX / sizeof(XRefEntry)) {
+	          error(-1, "Invalid 'obj' parameters.");
+	          return gFalse;
+	        }
 		entries = (XRefEntry *)
 		            grealloc(entries, newSize * sizeof(XRefEntry));
 		for (i = size; i < newSize; ++i) {
@@ -436,6 +451,11 @@
     } else if (!strncmp(p, "endstream", 9)) {
       if (streamEndsLen == streamEndsSize) {
 	streamEndsSize += 64;
+        if ((unsigned) streamEndsSize >= INT_MAX / sizeof(int)) {
+          error(-1, "Invalid 'endstream' parameter.");
+          return gFalse;
+        }
+
 	streamEnds = (Guint *)grealloc(streamEnds,
 				       streamEndsSize * sizeof(int));
       }