Patch for CVE-2009-3606 and CVE-2009-3609, adopted to kword, Gentoo bug 290470. -a3li@g.o diff -Naur koffice-1.6.3.orig/filters/kword/pdf/xpdf/xpdf/PSOutputDev.cc koffice-1.6.3/filters/kword/pdf/xpdf/xpdf/PSOutputDev.cc --- koffice-1.6.3.orig/filters/kword/pdf/xpdf/xpdf/PSOutputDev.cc 2009-02-04 17:36:28.000000000 +0100 +++ koffice-1.6.3/filters/kword/pdf/xpdf/xpdf/PSOutputDev.cc 2009-11-05 14:59:50.824849320 +0100 @@ -2322,7 +2322,7 @@ width, -height, height); // allocate a line buffer - lineBuf = (Guchar *)gmalloc(4 * width); + lineBuf = (Guchar *)gmallocn(width, 4); // set up to process the data stream imgStr = new ImageStream(str, width, colorMap->getNumPixelComps(), diff -Naur koffice-1.6.3.orig/filters/kword/pdf/xpdf/xpdf/Stream.cc koffice-1.6.3/filters/kword/pdf/xpdf/xpdf/Stream.cc --- koffice-1.6.3.orig/filters/kword/pdf/xpdf/xpdf/Stream.cc 2009-02-04 17:36:28.000000000 +0100 +++ koffice-1.6.3/filters/kword/pdf/xpdf/xpdf/Stream.cc 2009-11-05 15:10:20.680847015 +0100 @@ -327,7 +327,11 @@ } else { imgLineSize = nVals; } - imgLine = (Guchar *)gmalloc(imgLineSize * sizeof(Guchar)); + if (width > INT_MAX / nComps) { + // force a call to gmallocn(-1,...), which will throw an exception + imgLineSize = -1; + } + imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar)); imgIdx = nVals; }