diff --exclude-from=/home/dang/bin/scripts/diffrc -up -ruN libwpd-0.8.4.orig/src/lib/WP5DefinitionGroup.cpp libwpd-0.8.4/src/lib/WP5DefinitionGroup.cpp
--- libwpd-0.8.4.orig/src/lib/WP5DefinitionGroup.cpp	2005-12-05 08:51:35.000000000 -0500
+++ libwpd-0.8.4/src/lib/WP5DefinitionGroup.cpp	2007-03-07 11:59:45.000000000 -0500
@@ -26,7 +26,7 @@
 #include "WPXListener.h"
 #include "libwpd_internal.h"
 
-WP5DefinitionGroup_DefineTablesSubGroup::WP5DefinitionGroup_DefineTablesSubGroup(WPXInputStream *input) :
+WP5DefinitionGroup_DefineTablesSubGroup::WP5DefinitionGroup_DefineTablesSubGroup(WPXInputStream *input, uint16_t subGroupSize) :
 	WP5VariableLengthGroup_SubGroup(),
 	m_position(0),
 	m_numColumns(0),
@@ -34,6 +34,7 @@ WP5DefinitionGroup_DefineTablesSubGroup:
 	m_leftGutter(0),
 	m_rightGutter(0)
 {
+	long startPosition = input->tell();
 	// Skip useless old values to read the old column number
 	input->seek(2, WPX_SEEK_CUR);
 	m_numColumns = readU16(input);
@@ -50,12 +51,26 @@ WP5DefinitionGroup_DefineTablesSubGroup:
 	input->seek(10, WPX_SEEK_CUR);
 	m_leftOffset = readU16(input);
 	int i;
+	if ((m_numColumns > 32) || ((input->tell() - startPosition + m_numColumns*5) > (subGroupSize - 4)))
+		throw FileException();
 	for (i=0; i < m_numColumns; i++)
+	{
+		if (input->atEOS())
+			throw FileException();
 		m_columnWidth[i] = readU16(input);
+	}
 	for (i=0; i < m_numColumns; i++)
+	{
+		if (input->atEOS())
+			throw FileException();
 		m_attributeBits[i] = readU16(input);
+	}
 	for (i=0; i < m_numColumns; i++)
+	{
+		if (input->atEOS())
+			throw FileException();
 		m_columnAlignment[i] = readU8(input);
+	}
 }
 
 void WP5DefinitionGroup_DefineTablesSubGroup::parse(WP5Listener *listener)
@@ -86,7 +101,7 @@ void WP5DefinitionGroup::_readContents(W
 	switch(getSubGroup())
 	{
 		case WP5_TOP_DEFINITION_GROUP_DEFINE_TABLES:
-			m_subGroupData = new WP5DefinitionGroup_DefineTablesSubGroup(input);
+			m_subGroupData = new WP5DefinitionGroup_DefineTablesSubGroup(input, getSize());
 			break;
 		default:
 			break;
diff --exclude-from=/home/dang/bin/scripts/diffrc -up -ruN libwpd-0.8.4.orig/src/lib/WP5DefinitionGroup.h libwpd-0.8.4/src/lib/WP5DefinitionGroup.h
--- libwpd-0.8.4.orig/src/lib/WP5DefinitionGroup.h	2005-12-05 08:51:35.000000000 -0500
+++ libwpd-0.8.4/src/lib/WP5DefinitionGroup.h	2007-03-07 12:02:13.000000000 -0500
@@ -31,7 +31,7 @@
 class WP5DefinitionGroup_DefineTablesSubGroup : public WP5VariableLengthGroup_SubGroup
 {
 public:
-	WP5DefinitionGroup_DefineTablesSubGroup(WPXInputStream *input);
+	WP5DefinitionGroup_DefineTablesSubGroup(WPXInputStream *input, uint16_t subGroupSize);
 	virtual void parse(WP5Listener *listener);
 
 private:
@@ -58,7 +58,6 @@ protected:
 
 private:
 	WP5VariableLengthGroup_SubGroup * m_subGroupData;
-
 };
 
 #endif /* WP5DEFINITIONGROUP_H */
diff --exclude-from=/home/dang/bin/scripts/diffrc -up -ruN libwpd-0.8.4.orig/src/lib/WP5VariableLengthGroup.h libwpd-0.8.4/src/lib/WP5VariableLengthGroup.h
--- libwpd-0.8.4.orig/src/lib/WP5VariableLengthGroup.h	2005-12-05 08:51:37.000000000 -0500
+++ libwpd-0.8.4/src/lib/WP5VariableLengthGroup.h	2007-03-07 12:19:51.000000000 -0500
@@ -48,6 +48,7 @@ class WP5VariableLengthGroup : public WP
  	virtual void _readContents(WPXInputStream *input) {} // we don't always need more information than that provided generically
 
 	const uint8_t getSubGroup() const { return m_subGroup; }
+	const uint16_t getSize() const { return m_size; }
 
  private:
 	uint8_t m_subGroup;