--- xpdf-3.01/fofi/FoFiTrueType.cc	2005-08-17 07:34:30.000000000 +0200
+++ xpdf-3.01-fix/fofi/FoFiTrueType.cc	2005-08-22 12:13:04.000000000 +0200
@@ -1652,6 +1652,27 @@
     return;
   }
 
+  // make sure the loca table is sane (correct length and entries are
+  // in bounds)
+  i = seekTable("loca");
+  if (tables[i].len < (nGlyphs + 1) * (locaFmt ? 4 : 2)) {
+    parsedOk = gFalse;
+    return;
+  }
+  for (j = 0; j <= nGlyphs; ++j) {
+    if (locaFmt) {
+      pos = (int)getU32BE(tables[i].offset + j*4, &parsedOk);
+    } else {
+      pos = getU16BE(tables[i].offset + j*2, &parsedOk);
+    }
+    if (pos < 0 || pos > len) {
+      parsedOk = gFalse;
+    }
+  }
+  if (!parsedOk) {
+    return;
+  }
+
   // read the post table
   readPostTable();
 }