diff -burN cups-1.1.23.orig/pdftops/FontFile.cxx cups-1.1.23/pdftops/FontFile.cxx
--- cups-1.1.23.orig/pdftops/FontFile.cxx	2005-09-02 19:02:24.273122328 +0200
+++ cups-1.1.23/pdftops/FontFile.cxx	2005-09-02 19:02:39.174856920 +0200
@@ -18,6 +18,7 @@
 #include <stdarg.h>
 #include <string.h>
 #include <ctype.h>
+#include <error.h>
 #include "gmem.h"
 #include "GHash.h"
 #include "Error.h"
@@ -3572,6 +3573,9 @@
     } else {
       origLocaTable[i].pos = 2 * getUShort(pos + 2*i);
     }
+
+    if (origLocaTable[i].pos < 0 || origLocaTable[i].pos > len)
+      error (1, 0, "bad loca table pos value");
   }
   qsort(origLocaTable, nGlyphs + 1, sizeof(TrueTypeLoca), &cmpTrueTypeLocaPos);
   for (i = 0; i < nGlyphs; ++i) {