CVS commit by aacid: 

fix xpdf buffer overflow
By Dirk Mueller


  M +5 -3      Gfx.cc   1.6.2.2
  M +6 -1      GfxState.cc   1.5.2.1


--- kdegraphics/kpdf/xpdf/Gfx.cc  #1.6.2.1:1.6.2.2
@@ -2151,5 +2151,5 @@ void Gfx::opSetFont(Object args[], int /
     printf("  font: tag=%s name='%s' %g\n",
            font->getTag()->getCString(),
-           font->getName() ? font->getName()->getCString() : "\?\?\?",
+           font->getName() ? font->getName()->getCString() : "???",
            args[1].getNum());
     fflush(stdout);
@@ -2372,5 +2372,5 @@ void Gfx::doShowText(GString *s) {
       saveState();
       state->setCTM(newCTM[0], newCTM[1], newCTM[2], newCTM[3], x, y);
-      //~ out->updateCTM(\?\?\?)
+      //~ out->updateCTM(???)
       if (!out->beginType3Char(state, curX + riseX, curY + riseY, tdx, tdy,
                                code, u, uLen)) {
@@ -2655,5 +2655,7 @@ void Gfx::doImage(Object *ref, Stream *s
     dict->lookup("Mask", &maskObj);
     if (maskObj.isArray()) {
-      for (i = 0; i < maskObj.arrayGetLength(); ++i) {
+      for (i = 0;
+           i < maskObj.arrayGetLength() && i < 2*gfxColorMaxComps;
+           ++i) {
         maskObj.arrayGet(i, &obj1);
         maskColors[i] = obj1.getInt();

--- kdegraphics/kpdf/xpdf/GfxState.cc  #1.5:1.5.2.1
@@ -709,4 +709,9 @@ GfxColorSpace *GfxICCBasedColorSpace::pa
   nCompsA = obj2.getInt();
   obj2.free();
+  if (nCompsA > gfxColorMaxComps) {
+    error(-1, "ICCBased color space with too many (%d > %d) components",
+          nCompsA, gfxColorMaxComps);
+    nCompsA = gfxColorMaxComps;
+  }
   if (dict->lookup("Alternate", &obj2)->isNull() ||
       !(altA = GfxColorSpace::parse(&obj2))) {
@@ -1055,5 +1060,5 @@ GfxColorSpace *GfxDeviceNColorSpace::par
   nCompsA = obj1.arrayGetLength();
   if (nCompsA > gfxColorMaxComps) {
-    error(-1, "DeviceN color space with more than %d > %d components",
+    error(-1, "DeviceN color space with too many (%d > %d) components",
           nCompsA, gfxColorMaxComps);
     nCompsA = gfxColorMaxComps;