--- libs/xpdf/xpdf/XRef.cc.orig	Thu Jan  6 10:31:51 2005
+++ libs/xpdf/xpdf/XRef.cc	Thu Jan  6 10:30:39 2005
@@ -28,6 +28,7 @@
 #include "Error.h"
 #include "ErrorCodes.h"
 #include "XRef.h"
+#include <limits.h>
 
 //------------------------------------------------------------------------
 
@@ -388,6 +389,10 @@
       if (newSize < 0) {
 	goto err1;
       }
+      if ( newSize >= INT_MAX/sizeof(XRefEntry)) {
+        error(-1, "Invalid 'newSize' inside xref table.");
+	goto err1;
+      }
       entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
       for (i = size; i < newSize; ++i) {
 	entries[i].offset = 0xffffffff;
@@ -492,6 +497,10 @@
   if (newSize < 0) {
     goto err1;
   }
+  if (newSize >= INT_MAX/sizeof(XRefEntry)) {
+    error(-1, "Invalid 'newSize'");
+    goto err1;
+  }
   if (newSize > size) {
     entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
     for (i = size; i < newSize; ++i) {
@@ -583,6 +592,10 @@
     if (newSize < 0) {
       return gFalse;
     }
+    if (newSize >= INT_MAX/sizeof(XRefEntry)) {
+      error(-1, "Invalid 'newSize'");
+      return gFalse;
+    }
     entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
     for (i = size; i < newSize; ++i) {
       entries[i].offset = 0xffffffff;
@@ -741,6 +754,10 @@
     } else if (!strncmp(p, "endstream", 9)) {
       if (streamEndsLen == streamEndsSize) {
 	streamEndsSize += 64;
+  	if (streamEndsSize >= INT_MAX/sizeof(int)) {
+  	  error(-1, "Invalid 'endstream' parameter.");
+  	  return gFalse;
+	}
 	streamEnds = (Guint *)grealloc(streamEnds,
 				       streamEndsSize * sizeof(int));
       }