diff -Naur cups-1.1.20/pdftops/Catalog.cxx cups-1.1.20.orig/pdftops/Catalog.cxx
--- cups-1.1.20/pdftops/Catalog.cxx	2003-07-20 04:30:52 +0400
+++ cups-1.1.20.orig/pdftops/Catalog.cxx	2004-10-19 15:46:12 +0400
@@ -13,6 +13,7 @@
 #endif
 
 #include <stddef.h>
+#include <limits.h>
 #include "gmem.h"
 #include "Object.h"
 #include "XRef.h"
@@ -63,6 +64,12 @@
   }
   pagesSize = numPages0 = obj.getInt();
   obj.free();
+  if (pagesSize > UINT_MAX/sizeof(Page *) ||
+      pagesSize > UINT_MAX/sizeof(Ref)) {
+    error(-1, "Invalid 'pagesSize'");
+    ok = gFalse;
+    return;
+  }
   pages = (Page **)gmalloc(pagesSize * sizeof(Page *));
   pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref));
   for (i = 0; i < pagesSize; ++i) {
@@ -190,6 +197,11 @@
       }
       if (start >= pagesSize) {
 	pagesSize += 32;
+        if (pagesSize > UINT_MAX/sizeof(Page *) ||
+            pagesSize > UINT_MAX/sizeof(Ref)) {
+          error(-1, "Invalid 'pagesSize' parameter.");
+          goto err3;
+        }
 	pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *));
 	pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref));
 	for (j = pagesSize - 32; j < pagesSize; ++j) {
diff -Naur cups-1.1.20/pdftops/XRef.cxx cups-1.1.20.orig/pdftops/XRef.cxx
--- cups-1.1.20/pdftops/XRef.cxx	2003-07-20 04:30:56 +0400
+++ cups-1.1.20.orig/pdftops/XRef.cxx	2004-10-19 15:45:35 +0400
@@ -16,6 +16,7 @@
 #include <stddef.h>
 #include <string.h>
 #include <ctype.h>
+#include <limits.h>
 #include "gmem.h"
 #include "Object.h"
 #include "Stream.h"
@@ -76,6 +77,12 @@
 
   // trailer is ok - read the xref table
   } else {
+    if (size > UINT_MAX/sizeof(XRefEntry)) {
+      error(-1, "Invalid 'size' inside xref table.");
+      ok = gFalse;
+      errCode = errDamaged;
+      return;
+    }
     entries = (XRefEntry *)gmalloc(size * sizeof(XRefEntry));
     for (i = 0; i < size; ++i) {
       entries[i].offset = 0xffffffff;
@@ -267,6 +274,10 @@
     // table size
     if (first + n > size) {
       newSize = size + 256;
+      if (newSize > UINT_MAX/sizeof(XRefEntry)) {
+        error(-1, "Invalid 'newSize'");
+        goto err2;
+      }
       entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
       for (i = size; i < newSize; ++i) {
 	entries[i].offset = 0xffffffff;
@@ -415,6 +426,10 @@
 	    if (!strncmp(p, "obj", 3)) {
 	      if (num >= size) {
 		newSize = (num + 1 + 255) & ~255;
+	        if (newSize > UINT_MAX/sizeof(XRefEntry)) {
+	          error(-1, "Invalid 'obj' parameters.");
+	          return gFalse;
+	        }
 		entries = (XRefEntry *)
 		            grealloc(entries, newSize * sizeof(XRefEntry));
 		for (i = size; i < newSize; ++i) {
@@ -436,6 +451,11 @@
     } else if (!strncmp(p, "endstream", 9)) {
       if (streamEndsLen == streamEndsSize) {
 	streamEndsSize += 64;
+        if (streamEndsSize > UINT_MAX/sizeof(int)) {
+          error(-1, "Invalid 'endstream' parameter.");
+          return gFalse;
+        }
+
 	streamEnds = (Guint *)grealloc(streamEnds,
 				       streamEndsSize * sizeof(int));
       }