Index: xpdf/Gfx.cc
===================================================================
RCS file: /home/kde/koffice/filters/kword/pdf/xpdf/xpdf/Gfx.cc,v
retrieving revision 1.3
retrieving revision 1.3.2.1
diff -u -p -r1.3 -r1.3.2.1
--- xpdf/Gfx.cc	25 Jan 2003 23:17:44 -0000	1.3
+++ xpdf/Gfx.cc	22 Dec 2004 12:07:12 -0000	1.3.2.1
@@ -2379,7 +2379,9 @@ void Gfx::doImage(Object *ref, Stream *s
     haveMask = gFalse;
     dict->lookup("Mask", &maskObj);
     if (maskObj.isArray()) {
-      for (i = 0; i < maskObj.arrayGetLength(); ++i) {
+      for (i = 0;
+	   i < maskObj.arrayGetLength() && i < 2*gfxColorMaxComps;
+	   ++i) {
 	maskObj.arrayGet(i, &obj1);
 	maskColors[i] = obj1.getInt();
 	obj1.free();
Index: xpdf/GfxState.cc
===================================================================
RCS file: /home/kde/koffice/filters/kword/pdf/xpdf/xpdf/GfxState.cc,v
retrieving revision 1.3
retrieving revision 1.3.2.2
diff -u -p -r1.3 -r1.3.2.2
--- xpdf/GfxState.cc	25 Jan 2003 23:17:44 -0000	1.3
+++ xpdf/GfxState.cc	22 Dec 2004 13:50:53 -0000	1.3.2.2
@@ -682,6 +682,11 @@ GfxColorSpace *GfxICCBasedColorSpace::pa
   }
   nCompsA = obj2.getInt();
   obj2.free();
+  if (nCompsA > gfxColorMaxComps) {
+    error(-1, "ICCBased color space with too many (%d > %d) components",
+	  nCompsA, gfxColorMaxComps);
+    nCompsA = gfxColorMaxComps;
+  }
   if (dict->lookup("Alternate", &obj2)->isNull() ||
       !(altA = GfxColorSpace::parse(&obj2))) {
     switch (nCompsA) {
@@ -1023,6 +1028,11 @@ GfxColorSpace *GfxDeviceNColorSpace::par
     goto err2;
   }
   nCompsA = obj1.arrayGetLength();
+  if (nCompsA > gfxColorMaxComps) {
+    error(-1, "DeviceN color space with too many (%d > %d) components",
+        nCompsA, gfxColorMaxComps);
+    nCompsA = gfxColorMaxComps;
+  }
   for (i = 0; i < nCompsA; ++i) {
     if (!obj1.arrayGet(i, &obj2)->isName()) {
       error(-1, "Bad DeviceN color space (names)");