$OpenBSD: patch-xpdf_GfxState_cc,v 1.2 2003/02/12 08:28:20 sturm Exp $
--- xpdf/GfxState.cc.orig	Fri Dec  6 00:44:32 2002
+++ xpdf/GfxState.cc	Tue Feb 11 16:53:52 2003
@@ -815,9 +815,19 @@ GfxColorSpace *GfxIndexedColorSpace::par
   obj1.free();
   if (!arr->get(2, &obj1)->isInt()) {
     error(-1, "Bad Indexed color space (hival)");
+    delete baseA;
     goto err2;
   }
   indexHighA = obj1.getInt();
+  if (indexHighA < 0 || indexHighA > 255) {
+    // the PDF spec requires indexHigh to be in [0,255] -- allowing
+    // values larger than 255 creates a security hole: if nComps *
+    // indexHigh is greater than 2^31, the loop below may overwrite
+    // past the end of the array
+    error(-1, "Bad Indexed color space (invalid indexHigh value)");
+    delete baseA;
+    goto err2;
+  }
   obj1.free();
   cs = new GfxIndexedColorSpace(baseA, indexHighA);
   arr->get(3, &obj1);
