--- /dev/null
+Index: cgi-bin/var.c
+===================================================================
+RCS file: /development/cvs/cups/cgi-bin/var.c,v
+retrieving revision 1.21
+retrieving revision 1.22
+diff -u -r1.21 -r1.22
+--- cgi-bin/var.c 2002/01/02 17:58:37 1.21
++++ cgi-bin/var.c 2002/12/12 20:56:29 1.22
+@@ -242,7 +242,7 @@
+ var_t *var; /* Returned variable */
+
+
+- if (name == NULL || value == NULL || element < 0)
++ if (name == NULL || value == NULL || element < 0 || element > 100000)
+ return;
+
+ if ((var = cgi_find_variable(name)) == NULL)
+@@ -286,7 +286,7 @@
+ var_t *var; /* Returned variable */
+
+
+- if (name == NULL || size < 0)
++ if (name == NULL || size < 0 || size > 100000)
+ return;
+
+ if ((var = cgi_find_variable(name)) == NULL)
+@@ -361,7 +361,7 @@
+ var_t *var; /* New variable */
+
+
+- if (name == NULL || value == NULL)
++ if (name == NULL || value == NULL || element < 0 || element > 100000)
+ return;
+
+ #ifdef DEBUG
+Index: conf/cupsd.conf.in
+===================================================================
+RCS file: /development/cvs/cups/conf/cupsd.conf.in,v
+retrieving revision 1.7
+retrieving revision 1.8
+diff -u -r1.7 -r1.8
+--- conf/cupsd.conf.in.orig 2001-09-14 18:52:05.000000000 +0200
++++ conf/cupsd.conf.in 2002-12-17 13:36:34.000000000 +0100
+@@ -358,6 +358,15 @@
+ #MaxClients 100
+
+ #
++# MaxClientsPerHost: controls the maximum number of simultaneous clients that
++# will be handled from a specific host. Defaults to 10 or 1/10th of the
++# MaxClients setting, whichever is larger. A value of 0 specifies the
++# automatic (10 or 1/10th) setting.
++#
++
++#MaxClientsPerHost 0
++
++#
+ # MaxRequestSize: controls the maximum size of HTTP requests and print files.
+ # Set to 0 to disable this feature (defaults to 0.)
+ #
+Index: cups/http.c
+===================================================================
+RCS file: /development/cvs/cups/cups/http.c,v
+retrieving revision 1.105
+retrieving revision 1.107
+diff -u -r1.105 -r1.107
+--- cups/http.c 2002/10/30 20:04:56 1.105
++++ cups/http.c 2002/12/12 21:44:42 1.107
+@@ -896,11 +896,16 @@
+ }
+
+ http->data_remaining = strtol(len, NULL, 16);
++ if (http->data_remaining < 0)
++ {
++ DEBUG_puts("httpRead: Negative chunk length!");
++ return (0);
++ }
+ }
+
+ DEBUG_printf(("httpRead: data_remaining = %d\n", http->data_remaining));
+
+- if (http->data_remaining == 0)
++ if (http->data_remaining <= 0)
+ {
+ /*
+ * A zero-length chunk ends a transfer; unless we are reading POST
+Index: filter/image-bmp.c
+===================================================================
+RCS file: /development/cvs/cups/filter/image-bmp.c,v
+retrieving revision 1.8
+retrieving revision 1.9
+diff -u -r1.8 -r1.9
+--- filter/image-bmp.c 2002/04/19 16:17:26 1.8
++++ filter/image-bmp.c 2002/12/13 15:52:20 1.9
+@@ -105,8 +105,15 @@
+ read_word(fp);
+ offset = read_dword(fp);
+
+- fprintf(stderr, "offset = %d\n", offset);
++ fprintf(stderr, "DEBUG: offset = %d\n", offset);
+
++ if (offset < 0)
++ {
++ fprintf(stderr, "ERROR: Bad BMP offset %d\n", offset);
++ fclose(fp);
++ return (1);
++ }
++
+ /*
+ * Then the bitmap information...
+ */
+@@ -123,15 +130,34 @@
+ colors_used = read_dword(fp);
+ colors_important = read_dword(fp);
+
++ if (img->xsize == 0 || img->xsize > IMAGE_MAX_WIDTH ||
++ img->ysize == 0 || img->ysize > IMAGE_MAX_HEIGHT ||
++ (depth != 1 && depth != 4 && depth != 8 && depth != 24))
++ {
++ fprintf(stderr, "ERROR: Bad BMP dimensions %ux%ux%d\n",
++ img->xsize, img->ysize, depth);
++ fclose(fp);
++ return (1);
++ }
++
++ if (colors_used < 0 || colors_used > 256)
++ {
++ fprintf(stderr, "ERROR: Bad BMP colormap size %d\n", colors_used);
++ fclose(fp);
++ return (1);
++ }
++
++ if (img->xppi == 0 || img->yppi == 0)
++ {
++ fprintf(stderr, "ERROR: Bad BMP resolution %dx%d PPI.\n",
++ img->xppi, img->yppi);
++ img->xppi = img->yppi = 128;
++ }
++
+ /*
+ * Make sure the resolution info is valid...
+ */
+
+- if (img->xppi == 0)
+- img->xppi = 128;
+- if (img->yppi == 0)
+- img->yppi = 128;
+-
+ fprintf(stderr, "info_size = %d, xsize = %d, ysize = %d, planes = %d, depth = %d\n",
+ info_size, img->xsize, img->ysize, planes, depth);
+ fprintf(stderr, "compression = %d, image_size = %d, xppi = %d, yppi = %d\n",
+@@ -150,7 +176,8 @@
+ if (colors_used == 0 && depth <= 8)
+ colors_used = 1 << depth;
+
+- fread(colormap, colors_used, 4, fp);
++ if (colors_used > 0)
++ fread(colormap, colors_used, 4, fp);
+
+ /*
+ * Setup image and buffers...
+
+
+
+Index: filter/image-gif.c
+===================================================================
+RCS file: /development/cvs/cups/filter/image-gif.c,v
+retrieving revision 1.13
+retrieving revision 1.15
+diff -u -r1.13 -r1.15
+--- filter/image-gif.c 2002/11/27 04:43:53 1.13
++++ filter/image-gif.c 2002/12/13 15:52:20 1.15
+@@ -233,6 +233,19 @@
+ img->xsize = (buf[5] << 8) | buf[4];
+ img->ysize = (buf[7] << 8) | buf[6];
+
++ /*
++ * Check the dimensions of the image; since the dimensions are
++ * a 16-bit integer we just need to check for 0...
++ */
++
++ if (img->xsize == 0 || img->ysize == 0)
++ {
++ fprintf(stderr, "ERROR: Bad GIF image dimensions: %dx%d\n",
++ img->xsize, img->ysize);
++ fclose(fp);
++ return (1);
++ }
++
+ i = gif_read_image(fp, img, cmap, buf[8] & GIF_INTERLACE);
+ fclose(fp);
+ return (i);
+Index: filter/image-jpeg.c
+===================================================================
+RCS file: /development/cvs/cups/filter/image-jpeg.c,v
+retrieving revision 1.15
+retrieving revision 1.16
+diff -u -r1.15 -r1.16
+--- filter/image-jpeg.c 2002/04/19 16:17:26 1.15
++++ filter/image-jpeg.c 2002/12/13 15:52:20 1.16
+@@ -126,6 +126,18 @@
+
+ jpeg_calc_output_dimensions(&cinfo);
+
++ if (cinfo.output_width <= 0 || cinfo.output_width > IMAGE_MAX_WIDTH ||
++ cinfo.output_height <= 0 || cinfo.output_height > IMAGE_MAX_HEIGHT)
++ {
++ fprintf(stderr, "ERROR: Bad JPEG dimensions %dx%d!\n",
++ cinfo.output_width, cinfo.output_height);
++
++ jpeg_destroy_decompress(&cinfo);
++
++ fclose(fp);
++ return (1);
++ }
++
+ img->xsize = cinfo.output_width;
+ img->ysize = cinfo.output_height;
+
+@@ -141,6 +153,13 @@
+ img->xppi = (int)((float)cinfo.X_density * 2.54);
+ img->yppi = (int)((float)cinfo.Y_density * 2.54);
+ }
++
++ if (img->xppi == 0 || img->yppi == 0)
++ {
++ fprintf(stderr, "ERROR: Bad JPEG image resolution %dx%d PPI.\n",
++ img->xppi, img->yppi);
++ img->xppi = img->yppi = 128;
++ }
+ }
+
+ fprintf(stderr, "DEBUG: JPEG image %dx%dx%d, %dx%d PPI\n",
+Index: filter/image-pix.c
+===================================================================
+RCS file: /development/cvs/cups/filter/image-pix.c,v
+retrieving revision 1.6
+retrieving revision 1.7
+diff -u -r1.6 -r1.7
+--- filter/image-pix.c 2002/04/19 16:17:27 1.6
++++ filter/image-pix.c 2002/12/13 15:52:20 1.7
+@@ -78,6 +78,21 @@
+ read_short(fp);
+ depth = read_short(fp);
+
++ /*
++ * Check the dimensions of the image. Since the short values used for the
++ * width and height cannot exceed IMAGE_MAX_WIDTH or IMAGE_MAX_HEIGHT, we
++ * just need to verify they are positive integers.
++ */
++
++ if (width <= 0 || height <= 0 ||
++ (depth != 8 && depth != 24))
++ {
++ fprintf(stderr, "ERROR: Bad PIX image dimensions %dx%dx%d\n",
++ width, height, depth);
++ fclose(fp);
++ return (1);
++ }
++
+ if (depth == 8)
+ img->colorspace = secondary;
+ else
+Index: filter/image-png.c
+===================================================================
+RCS file: /development/cvs/cups/filter/image-png.c,v
+retrieving revision 1.14
+retrieving revision 1.15
+diff -u -r1.14 -r1.15
+--- filter/image-png.c 2002/04/19 16:17:27 1.14
++++ filter/image-png.c 2002/12/13 15:52:20 1.15
+@@ -90,6 +90,15 @@
+ else
+ img->colorspace = (primary == IMAGE_RGB_CMYK) ? IMAGE_RGB : primary;
+
++ if (info->width == 0 || info->width > IMAGE_MAX_WIDTH ||
++ info->height == 0 || info->height > IMAGE_MAX_HEIGHT)
++ {
++ fprintf(stderr, "ERROR: PNG image has invalid dimensions %ux%u!\n",
++ (unsigned)info->width, (unsigned)info->height);
++ fclose(fp);
++ return (1);
++ }
++
+ img->xsize = info->width;
+ img->ysize = info->height;
+
+@@ -98,6 +107,14 @@
+ {
+ img->xppi = (int)((float)info->x_pixels_per_unit * 0.0254);
+ img->yppi = (int)((float)info->y_pixels_per_unit * 0.0254);
++
++ if (img->xppi == 0 || img->yppi == 0)
++ {
++ fprintf(stderr, "ERROR: PNG image has invalid resolution %dx%d PPI\n",
++ img->xppi, img->yppi);
++
++ img->xppi = img->yppi = 128;
++ }
+ }
+
+ ImageSetMaxTiles(img, 0);
+Index: filter/image-pnm.c
+===================================================================
+RCS file: /development/cvs/cups/filter/image-pnm.c,v
+retrieving revision 1.10
+retrieving revision 1.11
+diff -u -r1.10 -r1.11
+--- filter/image-pnm.c 2002/04/19 16:17:27 1.10
++++ filter/image-pnm.c 2002/12/13 15:52:20 1.11
+@@ -132,6 +132,22 @@
+ else
+ maxval = 1;
+
++ if (img->xsize == 0 || img->xsize > IMAGE_MAX_WIDTH ||
++ img->ysize == 0 || img->ysize > IMAGE_MAX_HEIGHT)
++ {
++ fprintf(stderr, "ERROR: Bad PNM dimensions %dx%d!\n",
++ img->xsize, img->ysize);
++ fclose(fp);
++ return (1);
++ }
++
++ if (maxval == 0)
++ {
++ fprintf(stderr, "ERROR: Bad PNM max value %d!\n", maxval);
++ fclose(fp);
++ return (1);
++ }
++
+ if (format == 1 || format == 2 || format == 4 || format == 5)
+ img->colorspace = secondary;
+ else
+Index: filter/image-sgi.c
+===================================================================
+RCS file: /development/cvs/cups/filter/image-sgi.c,v
+retrieving revision 1.11
+retrieving revision 1.12
+diff -u -r1.11 -r1.12
+--- filter/image-sgi.c 2002/04/19 16:17:27 1.11
++++ filter/image-sgi.c 2002/12/13 15:52:20 1.12
+@@ -73,6 +73,22 @@
+ * Get the image dimensions and load the output image...
+ */
+
++ /*
++ * Check the image dimensions; since xsize and ysize are unsigned shorts,
++ * just check if they are 0 since they can't exceed IMAGE_MAX_WIDTH or
++ * IMAGE_MAX_HEIGHT...
++ */
++
++ if (sgip->xsize == 0 || sgip->ysize == 0 ||
++ sgip->zsize == 0 || sgip->zsize > 4)
++ {
++ fprintf(stderr, "ERROR: Bad SGI image dimensions %ux%ux%u!\n",
++ sgip->xsize, sgip->ysize, sgip->zsize);
++ sgiClose(sgip);
++ fclose(fp);
++ return (1);
++ }
++
+ if (sgip->zsize < 3)
+ img->colorspace = secondary;
+ else
+Index: filter/image-sun.c
+===================================================================
+RCS file: /development/cvs/cups/filter/image-sun.c,v
+retrieving revision 1.12
+retrieving revision 1.14
+diff -u -r1.12 -r1.14
+--- filter/image-sun.c 2002/10/22 18:43:45 1.12
++++ filter/image-sun.c 2002/12/13 15:52:20 1.14
+@@ -121,6 +121,15 @@
+ fprintf(stderr, "DEBUG: ras_width=%d, ras_height=%d, ras_depth=%d, ras_type=%d, ras_maplength=%d\n",
+ img->xsize, img->ysize, ras_depth, ras_type, ras_maplength);
+
++ if (ras_maplength > 768 ||
++ img->xsize == 0 || img->xsize > IMAGE_MAX_WIDTH ||
++ img->ysize == 0 || img->ysize > IMAGE_MAX_HEIGHT ||
++ ras_depth == 0 || ras_depth > 32)
++ {
++ fputs("ERROR: Raster image cannot be loaded!\n", stderr);
++ return (1);
++ }
++
+ if (ras_maplength > 0)
+ {
+ memset(cmap[0], 255, sizeof(cmap[0]));
+Index: filter/image-tiff.c
+===================================================================
+RCS file: /development/cvs/cups/filter/image-tiff.c,v
+retrieving revision 1.23
+retrieving revision 1.24
+diff -u -r1.23 -r1.24
+--- filter/image-tiff.c 2002/04/19 16:17:27 1.23
++++ filter/image-tiff.c 2002/12/13 15:52:21 1.24
+@@ -173,6 +173,12 @@
+ img->yppi = 128;
+ }
+
++ if (img->xppi == 0 || img->yppi == 0)
++ {
++ fputs("ERROR: Bad TIFF resolution.\n", stderr);
++ img->xppi = img->yppi = 128;
++ }
++
+ fprintf(stderr, "DEBUG: TIFF resolution = %fx%f, units=%d\n",
+ xres, yres, resunit);
+ fprintf(stderr, "DEBUG: Stored resolution = %dx%d PPI\n",
+@@ -189,6 +195,23 @@
+ alpha = 0;
+
+ /*
++ * Check the size of the image...
++ */
++
++ if (width == 0 || width > IMAGE_MAX_WIDTH ||
++ height == 0 || height > IMAGE_MAX_HEIGHT ||
++ (bits != 1 && bits != 2 && bits != 4 && bits != 8) ||
++ samples < 1 || samples > 4)
++ {
++ fprintf(stderr, "ERROR: Bad TIFF dimensions %ux%ux%ux%u!\n",
++ (unsigned)width, (unsigned)height, (unsigned)bits,
++ (unsigned)samples);
++ TIFFClose(tif);
++ fclose(fp);
++ return (1);
++ }
++
++ /*
+ * Setup the image size and colorspace...
+ */
+
+Index: filter/image-zoom.c
+===================================================================
+RCS file: /development/cvs/cups/filter/image-zoom.c,v
+retrieving revision 1.10
+retrieving revision 1.11
+diff -u -r1.10 -r1.11
+--- filter/image-zoom.c 2002/08/27 16:19:38 1.10
++++ filter/image-zoom.c 2002/12/13 15:52:21 1.11
+@@ -58,6 +58,12 @@
+ int flip; /* Flip on X axis? */
+
+
++ if (xsize > IMAGE_MAX_WIDTH ||
++ ysize > IMAGE_MAX_HEIGHT ||
++ (x1 - x0) > IMAGE_MAX_WIDTH ||
++ (y1 - y0) > IMAGE_MAX_HEIGHT)
++ return (NULL); /* Protect against integer overflow */
++
+ if ((z = (izoom_t *)calloc(1, sizeof(izoom_t))) == NULL)
+ return (NULL);
+
+Index: filter/image.h
+===================================================================
+RCS file: /development/cvs/cups/filter/image.h,v
+retrieving revision 1.15
+retrieving revision 1.16
+diff -u -r1.15 -r1.16
+--- filter/image.h 2002/04/29 15:56:58 1.15
++++ filter/image.h 2002/12/13 15:52:21 1.16
+@@ -40,6 +40,13 @@
+
+
+ /*
++ * Maximum image dimensions that we can handle...
++ */
++
++# define IMAGE_MAX_WIDTH 0x07ffffff /* 2^27-1 to allow for 15-channel data */
++# define IMAGE_MAX_HEIGHT 0x7fffffff /* 2^31-1 */
++
++/*
+ * Colorspaces...
+ */
+
+@@ -50,7 +57,6 @@
+ # define IMAGE_RGB 3 /* Red, green, and blue */
+ # define IMAGE_RGB_CMYK 4 /* Use RGB or CMYK */
+
+-
+ /*
+ * Tile definitions...
+ */
+Index: scheduler/client.c
+===================================================================
+RCS file: /development/cvs/cups/scheduler/client.c,v
+retrieving revision 1.128
+retrieving revision 1.130
+diff -u -r1.128 -r1.130
+--- scheduler/client.c 2002/11/21 14:58:18 1.128
++++ scheduler/client.c 2002/12/13 16:24:05 1.130
+@@ -492,6 +520,12 @@
+ LogMessage(L_DEBUG2, "ReadClient() %d, used=%d", con->http.fd,
+ con->http.used);
+
++ if (con->http.error)
++ {
++ CloseClient(con);
++ return (0);
++ }
++
+ switch (con->http.state)
+ {
+ case HTTP_WAITING :
+@@ -944,6 +978,20 @@
+
+ break;
+ }
++ else if (atoi(con->http.fields[HTTP_FIELD_CONTENT_LENGTH]) < 0)
++ {
++ /*
++ * Negative content lengths are invalid!
++ */
++
++ if (!SendError(con, HTTP_BAD_REQUEST))
++ {
++ CloseClient(con);
++ return (0);
++ }
++
++ break;
++ }
+
+ /*
+ * See what kind of POST request this is; for IPP requests the
+Index: scheduler/dirsvc.c
+===================================================================
+RCS file: /development/cvs/cups/scheduler/dirsvc.c,v
+retrieving revision 1.100
+retrieving revision 1.101
+diff -u -r1.100 -r1.101
+--- scheduler/dirsvc.c 2002/09/26 15:19:31 1.100
++++ scheduler/dirsvc.c 2002/12/12 20:56:32 1.101
+@@ -88,6 +88,31 @@
+ httpSeparate(uri, method, username, host, &port, resource);
+
+ /*
++ * Determine if the URI contains any illegal characters in it...
++ */
++
++ if (strncmp(uri, "ipp://", 6) != 0 ||
++ !host[0] ||
++ (strncmp(resource, "/printers/", 10) != 0 &&
++ strncmp(resource, "/classes/", 9) != 0))
++ {
++ LogMessage(L_ERROR, "ProcessBrowseData: Bad printer URI in browse data: %s",
++ uri);
++ return;
++ }
++
++ if (strchr(resource, '?') != NULL ||
++ (strncmp(resource, "/printers/", 10) == 0 &&
++ strchr(resource + 10, '/') != NULL) ||
++ (strncmp(resource, "/classes/", 9) == 0 &&
++ strchr(resource + 9, '/') != NULL))
++ {
++ LogMessage(L_ERROR, "ProcessBrowseData: Bad resource in browse data: %s",
++ resource);
++ return;
++ }
++
++ /*
+ * OK, this isn't a local printer; see if we already have it listed in
+ * the Printers list, and add it if not...
+ */
--- /dev/null
+--- pdftops/GfxState.cxx.pdftops 2002-12-17 11:41:20.000000000 +0000
++++ pdftops/GfxState.cxx 2002-12-17 14:13:52.000000000 +0000
+@@ -12,6 +12,7 @@
+
+ #include <config.h>
+ #include <stddef.h>
++#include <limits.h>
+ #include <math.h>
+ #include <string.h> // for memcpy()
+ #include "gmem.h"
+@@ -749,6 +750,7 @@
+ int indexHighA) {
+ base = baseA;
+ indexHigh = indexHighA;
++ // Checked in GfxIndexedColorSpace::parse
+ lookup = (Guchar *)gmalloc((indexHigh + 1) * base->getNComps() *
+ sizeof(Guchar));
+ }
+@@ -792,9 +794,13 @@
+ }
+ indexHighA = obj1.getInt();
+ obj1.free();
++ n = baseA->getNComps();
++ if ((unsigned int)(indexHighA + 1) >= INT_MAX / (n * sizeof (Guchar))) {
++ error(-1, "Bad Indexed color space (too high)");
++ goto err1;
++ }
+ cs = new GfxIndexedColorSpace(baseA, indexHighA);
+ arr->get(3, &obj1);
+- n = baseA->getNComps();
+ if (obj1.isStream()) {
+ obj1.streamReset();
+ for (i = 0; i <= indexHighA; ++i) {
+@@ -1674,6 +1680,8 @@
+ colorSpace2 = indexedCS->getBase();
+ indexHigh = indexedCS->getIndexHigh();
+ nComps2 = colorSpace2->getNComps();
++ if ((unsigned int)(indexHigh + 1) >= INT_MAX / (nComps2 * sizeof(double)))
++ goto err1;
+ lookup = (double *)gmalloc((indexHigh + 1) * nComps2 * sizeof(double));
+ lookup2 = indexedCS->getLookup();
+ for (i = 0; i <= indexHigh; ++i) {
+@@ -1686,6 +1694,8 @@
+ sepCS = (GfxSeparationColorSpace *)colorSpace;
+ colorSpace2 = sepCS->getAlt();
+ nComps2 = colorSpace2->getNComps();
++ if ((unsigned int)(maxPixel + 1) >= INT_MAX / (nComps2 * sizeof(double)))
++ goto err1;
+ lookup = (double *)gmalloc((maxPixel + 1) * nComps2 * sizeof(double));
+ sepFunc = sepCS->getFunc();
+ for (i = 0; i <= maxPixel; ++i) {
+@@ -1696,6 +1706,8 @@
+ }
+ }
+ } else {
++ if ((unsigned int)(maxPixel + 1) >= INT_MAX / (nComps * sizeof(double)))
++ goto err1;
+ lookup = (double *)gmalloc((maxPixel + 1) * nComps * sizeof(double));
+ for (i = 0; i <= maxPixel; ++i) {
+ for (k = 0; k < nComps; ++k) {
+@@ -1781,6 +1793,7 @@
+
+ GfxSubpath::GfxSubpath(double x1, double y1) {
+ size = 16;
++ // safe
+ x = (double *)gmalloc(size * sizeof(double));
+ y = (double *)gmalloc(size * sizeof(double));
+ curve = (GBool *)gmalloc(size * sizeof(GBool));
+@@ -1801,6 +1814,7 @@
+ GfxSubpath::GfxSubpath(GfxSubpath *subpath) {
+ size = subpath->size;
+ n = subpath->n;
++ // safe (subpath->size is constrained)
+ x = (double *)gmalloc(size * sizeof(double));
+ y = (double *)gmalloc(size * sizeof(double));
+ curve = (GBool *)gmalloc(size * sizeof(GBool));
+@@ -1812,6 +1826,7 @@
+
+ void GfxSubpath::lineTo(double x1, double y1) {
+ if (n >= size) {
++ if ((unsigned int)(size + 16) >= INT_MAX / sizeof (double)) return;
+ size += 16;
+ x = (double *)grealloc(x, size * sizeof(double));
+ y = (double *)grealloc(y, size * sizeof(double));
+@@ -1826,6 +1841,7 @@
+ void GfxSubpath::curveTo(double x1, double y1, double x2, double y2,
+ double x3, double y3) {
+ if (n+3 > size) {
++ if ((unsigned int)(size + 16) >= INT_MAX / sizeof (double)) return;
+ size += 16;
+ x = (double *)grealloc(x, size * sizeof(double));
+ y = (double *)grealloc(y, size * sizeof(double));
+@@ -1854,6 +1870,7 @@
+ size = 16;
+ n = 0;
+ firstX = firstY = 0;
++ // safe
+ subpaths = (GfxSubpath **)gmalloc(size * sizeof(GfxSubpath *));
+ }
+
+@@ -1875,6 +1892,7 @@
+ firstY = firstY1;
+ size = size1;
+ n = n1;
++ // not sure
+ subpaths = (GfxSubpath **)gmalloc(size * sizeof(GfxSubpath *));
+ for (i = 0; i < n; ++i)
+ subpaths[i] = subpaths1[i]->copy();
+@@ -2063,8 +2081,10 @@
+ strokePattern = state->strokePattern->copy();
+ }
+ if (lineDashLength > 0) {
+- lineDash = (double *)gmalloc(lineDashLength * sizeof(double));
+- memcpy(lineDash, state->lineDash, lineDashLength * sizeof(double));
++ if (lineDashLength < INT_MAX / sizeof (double)) {
++ lineDash = (double *)gmalloc(lineDashLength * sizeof(double));
++ memcpy(lineDash, state->lineDash, lineDashLength * sizeof(double));
++ }
+ }
+ saved = NULL;
+ }