diff -Nru cups-1.1.23.orig/pdftops/Catalog.cxx cups-1.1.23/pdftops/Catalog.cxx --- cups-1.1.23.orig/pdftops/Catalog.cxx 2005-12-14 18:14:18.000000000 +0100 +++ cups-1.1.23/pdftops/Catalog.cxx 2005-12-14 18:16:26.000000000 +0100 @@ -64,8 +64,8 @@ } pagesSize = numPages0 = (int)obj.getNum(); obj.free(); - if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize || - pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) { + if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize || + pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) { error(-1, "Invalid 'pagesSize'"); ok = gFalse; return; @@ -197,7 +197,8 @@ } if (start >= pagesSize) { pagesSize += 32; - if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize) { + if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize || + pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) { error(-1, "Invalid 'pagesSize' parameter."); goto err3; } diff -Nru cups-1.1.23.orig/pdftops/Decrypt.cxx cups-1.1.23/pdftops/Decrypt.cxx --- cups-1.1.23.orig/pdftops/Decrypt.cxx 2005-12-14 18:14:18.000000000 +0100 +++ cups-1.1.23/pdftops/Decrypt.cxx 2005-12-14 18:16:26.000000000 +0100 @@ -130,13 +130,19 @@ Guchar *buf; Guchar test[32]; Guchar fState[256]; - Guchar tmpKey[16]; + Guchar *tmpKey; Guchar fx, fy; int len, i, j; GBool ok; + // check whether we have non-zero keyLength + if ( !keyLength || keyLength > 16 ) { + return gFalse; + } + // generate file key buf = (Guchar *)gmalloc(68 + fileID->getLength()); + tmpKey = (Guchar *)gmalloc(keyLength * sizeof(Guchar)); if (userPassword) { len = userPassword->getLength(); if (len < 32) { @@ -189,6 +195,7 @@ ok = gFalse; } + gfree(tmpKey); gfree(buf); return ok; } diff -Nru cups-1.1.23.orig/pdftops/FontFile.cxx cups-1.1.23/pdftops/FontFile.cxx --- cups-1.1.23.orig/pdftops/FontFile.cxx 2005-12-14 18:14:18.000000000 +0100 +++ cups-1.1.23/pdftops/FontFile.cxx 2005-12-14 18:16:26.000000000 +0100 @@ -18,6 +18,7 @@ #include #include #include +#include #include "gmem.h" #include "GHash.h" #include "Error.h" @@ -3572,6 +3573,9 @@ } else { origLocaTable[i].pos = 2 * getUShort(pos + 2*i); } + + if (origLocaTable[i].pos < 0 || origLocaTable[i].pos > len) + error (1, 0, "bad loca table pos value"); } qsort(origLocaTable, nGlyphs + 1, sizeof(TrueTypeLoca), &cmpTrueTypeLocaPos); for (i = 0; i < nGlyphs; ++i) { diff -Nru cups-1.1.23.orig/pdftops/XRef.cxx cups-1.1.23/pdftops/XRef.cxx --- cups-1.1.23.orig/pdftops/XRef.cxx 2005-12-14 18:14:18.000000000 +0100 +++ cups-1.1.23/pdftops/XRef.cxx 2005-12-14 18:16:26.000000000 +0100 @@ -76,7 +76,7 @@ // trailer is ok - read the xref table } else { - if (size*sizeof(XRefEntry)/sizeof(XRefEntry) != size) { + if (size*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != size) { error(-1, "Invalid 'size' inside xref table."); ok = gFalse; errCode = errDamaged; @@ -291,7 +291,7 @@ // table size if (first + n > size) { newSize = first + n; - if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { + if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { error(-1, "Invalid 'newSize'"); goto err2; } @@ -445,7 +445,7 @@ if (!strncmp(p, "obj", 3)) { if (num >= size) { newSize = (num + 1 + 255) & ~255; - if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { + if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { error(-1, "Invalid 'obj' parameters."); return gFalse; } @@ -470,7 +470,7 @@ } else if (!strncmp(p, "endstream", 9)) { if (streamEndsLen == streamEndsSize) { streamEndsSize += 64; - if (streamEndsSize*sizeof(int)/sizeof(int) != streamEndsSize) { + if (streamEndsSize*(int)sizeof(int)/sizeof(int) != streamEndsSize) { error(-1, "Invalid 'endstream' parameter."); return gFalse; }