$OpenBSD: patch-kpdf_xpdf_fofi_FoFiTrueType_cc,v 1.2 2005/11/30 11:22:09 espie Exp $
--- kpdf/xpdf/fofi/FoFiTrueType.cc.orig	Sat Sep 10 10:18:43 2005
+++ kpdf/xpdf/fofi/FoFiTrueType.cc	Mon Nov 21 21:41:36 2005
@@ -1663,6 +1663,27 @@ void FoFiTrueType::parse() {
     return;
   }
 
+  // make sure the loca table is sane (correct length and entries are
+  // in bounds)
+  i = seekTable("loca");
+  if (tables[i].len < (nGlyphs + 1) * (locaFmt ? 4 : 2)) {
+    parsedOk = gFalse;
+    return;
+  }
+  for (j = 0; j <= nGlyphs; ++j) {
+    if (locaFmt) {
+      pos = (int)getU32BE(tables[i].offset + j*4, &parsedOk);
+    } else {
+      pos = getU16BE(tables[i].offset + j*2, &parsedOk);
+    }
+    if (pos < 0 || pos > len) {
+      parsedOk = gFalse;
+    }
+  }
+  if (!parsedOk) {
+    return;
+  }
+
   // read the post table
   readPostTable();
 }
