diff -up texlive-2007/texk/dvipsk/dospecial.c.CVE-2010-0739,1440 texlive-2007/texk/dvipsk/dospecial.c
--- texlive-2007/texk/dvipsk/dospecial.c.CVE-2010-0739,1440	2006-12-07 23:39:19.000000000 +0100
+++ texlive-2007/texk/dvipsk/dospecial.c	2010-05-09 10:35:33.724632292 +0200
@@ -325,7 +325,11 @@ void predospecial P2C(integer, numbytes,
    int j ;
    static int omega_specials = 0;
 
-   if (nextstring + numbytes > maxstring) {
+   if (numbytes < 0 || numbytes > maxstring - nextstring) {
+      if (numbytes < 0 || numbytes > (INT_MAX - 1000) / 2) {
+         error("! Integer overflow in predospecial");
+         exit(1);
+      }
       p = nextstring = mymalloc(1000 + 2 * numbytes) ;
       maxstring = nextstring + 2 * numbytes + 700 ;
    }
@@ -903,7 +907,11 @@ float *bbdospecial P1C(int, nbytes)
    char seen[NKEYS] ;
    float valseen[NKEYS] ;
 
-   if (nextstring + nbytes > maxstring) {
+   if (nbytes < 0 || nbytes > maxstring - nextstring) {
+      if (nbytes < 0 || nbytes > (INT_MAX - 1000) / 2) {
+         error("! Integer overflow in bbdospecial");
+         exit(1);
+      }
       p = nextstring = mymalloc(1000 + 2 * nbytes) ;
       maxstring = nextstring + 2 * nbytes + 700 ;
    }