The pdftops filter in xpdf contains an integer overflow that can

be exploited to gain the privileges of the target user.

http://www.idefense.com/advisory/12.23.02.txt

textproc/xpdf/Makefile

@@ -1,8 +1,9 @@
-# $OpenBSD: Makefile,v 1.30 2002/10/28 22:43:46 naddy Exp $
+# $OpenBSD: Makefile,v 1.31 2002/12/29 23:45:20 brad Exp $
 
 COMMENT=	"PDF viewer for X"
 
 DISTNAME=	xpdf-1.01
+PKGNAME=	${DISTNAME}p1
 CATEGORIES=	textproc x11
 
 MASTER_SITES=	ftp://ftp.foolabs.com/pub/xpdf/
@@ -13,6 +14,7 @@ LIB_DEPENDS=	t1x.3,t1.3::devel/t1lib
 
 MAINTAINER=	Brad Smith <brad@openbsd.org>
 
+# GPL
 PERMIT_PACKAGE_CDROM=	Yes
 PERMIT_PACKAGE_FTP=	Yes
 PERMIT_DISTFILES_CDROM=	Yes

textproc/xpdf/patches/patch-xpdf_GfxState_cc

@@ -0,0 +1,23 @@
+$OpenBSD: patch-xpdf_GfxState_cc,v 1.1 2002/12/29 23:45:20 brad Exp $
+--- xpdf/GfxState.cc.orig	Thu Dec 26 23:05:20 2002
++++ xpdf/GfxState.cc	Thu Dec 26 23:22:59 2002
+@@ -788,9 +788,19 @@ GfxColorSpace *GfxIndexedColorSpace::par
+   obj1.free();
+   if (!arr->get(2, &obj1)->isInt()) {
+     error(-1, "Bad Indexed color space (hival)");
++    delete baseA;
+     goto err2;
+   }
+   indexHighA = obj1.getInt();
++  if (indexHighA < 0 || indexHighA > 255) {
++    // the PDF spec requires indexHigh to be in [0,255] -- allowing
++    // values larger than 255 creates a security hole: if nComps *
++    // indexHigh is greater than 2^31, the loop below may overwrite
++    // past the end of the array
++    error(-1, "Bad Indexed color space (invalid indexHigh value)");
++    delete baseA;
++    goto err2;
++  }
+   obj1.free();
+   cs = new GfxIndexedColorSpace(baseA, indexHighA);
+   arr->get(3, &obj1);