Fix for CVE-2010-1440
From Jan Lieskovsky <jlieskov@redhat.com>

  we decided to treat the CVE-2010-1440 issue as a completely
  new tetex / texlive issue, rather than an incomplete fix for CVE-2010-0739
  (in fact, the reproducer for CVE-2010-0739 is only catalyst / accelerator
  to see this flaw on ppc architecture, but in fact, it's another occurrence
  of integer overflow in teTeX / TeXLive code).

---
 texk/dvipsk/dospecial.c |   12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

Index: texlive-bin-2009/texk/dvipsk/dospecial.c
===================================================================
--- texlive-bin-2009.orig/texk/dvipsk/dospecial.c	2010-05-01 02:15:09.000000000 +0900
+++ texlive-bin-2009/texk/dvipsk/dospecial.c	2010-05-01 02:15:16.000000000 +0900
@@ -333,7 +333,11 @@
    int j ;
    static int omega_specials = 0;
 
-   if (nextstring + numbytes > maxstring) {
+   if (numbytes < 0 || numbytes > maxstring - nextstring) {
+      if (numbytes < 0 || numbytes > (INT_MAX - 1000) / 2 ) {
+         error("! Integer overflow in predospecial");
+         exit(1);
+      }
       p = nextstring = mymalloc(1000 + 2 * numbytes) ;
       maxstring = nextstring + 2 * numbytes + 700 ;
    }
@@ -918,7 +922,11 @@
    char seen[NKEYS] ;
    float valseen[NKEYS] ;
 
-   if (nextstring + nbytes > maxstring) {
+   if (nbytes < 0 || nbytes > maxstring - nextstring) {
+      if (nbytes < 0 || nbytes > (INT_MAX - 1000) / 2 ) {
+         error("! Integer overflow in bbdospecial");
+         exit(1);
+      }
       p = nextstring = mymalloc(1000 + 2 * nbytes) ;
       maxstring = nextstring + 2 * nbytes + 700 ;
    }