--- tetex-src-3.0/texk/dvipsk/dospecial.c.orig	2010-04-29 10:25:30.000000000 -0400
+++ tetex-src-3.0/texk/dvipsk/dospecial.c	2010-04-29 10:30:10.000000000 -0400
@@ -305,7 +305,11 @@ void predospecial P2C(integer, numbytes,
    int j ;
    static int omega_specials = 0;
 
-   if (nextstring + numbytes > maxstring) {
+   if (numbytes < 0 || numbytes > maxstring - nextstring) {
+      if (numbytes < 0 || numbytes > (INT_MAX - 1000) / 2 ) {
+         error("! Integer overflow in predospecial");
+         exit(1);
+      }
       p = nextstring = mymalloc(1000 + 2 * numbytes) ;
       maxstring = nextstring + 2 * numbytes + 700 ;
    }
@@ -828,7 +832,11 @@ float *bbdospecial P1C(int, nbytes)
    char seen[NKEYS] ;
    float valseen[NKEYS] ;
 
-   if (nextstring + nbytes > maxstring) {
+   if (nbytes < 0 || nbytes > maxstring - nextstring) {
+      if (nbytes < 0 || nbytes > (INT_MAX - 1000) / 2 ) {
+         error("! Integer overflow in bbdospecial");
+         exit(1);
+      }
       p = nextstring = mymalloc(1000 + 2 * nbytes) ;
       maxstring = nextstring + 2 * nbytes + 700 ;
    }