--- /dev/null
+diff -burN cups-1.1.23.orig/pdftops/FontFile.cxx cups-1.1.23/pdftops/FontFile.cxx
+--- cups-1.1.23.orig/pdftops/FontFile.cxx 2005-09-02 19:02:24.273122328 +0200
++++ cups-1.1.23/pdftops/FontFile.cxx 2005-09-02 19:02:39.174856920 +0200
+@@ -18,6 +18,7 @@
+ #include <stdarg.h>
+ #include <string.h>
+ #include <ctype.h>
++#include <error.h>
+ #include "gmem.h"
+ #include "GHash.h"
+ #include "Error.h"
+@@ -3572,6 +3573,9 @@
+ } else {
+ origLocaTable[i].pos = 2 * getUShort(pos + 2*i);
+ }
++
++ if (origLocaTable[i].pos < 0 || origLocaTable[i].pos > len)
++ error (1, 0, "bad loca table pos value");
+ }
+ qsort(origLocaTable, nGlyphs + 1, sizeof(TrueTypeLoca), &cmpTrueTypeLocaPos);
+ for (i = 0; i < nGlyphs; ++i) {