--- misc/hunspell-1.3.2/src/hunspell/affixmgr.cxx	2010-02-27 12:59:53.000000000 +0100
+++ misc/build/hunspell-1.3.2/src/hunspell/affixmgr.cxx	2011-05-18 16:29:45.919141893 +0200
@@ -6,6 +6,8 @@
 #include <stdio.h>
 #include <ctype.h>
 
+#include <limits>
+
 #include <vector>
 
 #include "affixmgr.hxx"
@@ -4000,7 +4002,10 @@
              case 3: { 
                        np++;
                        numents = atoi(piece); 
-                       if (numents == 0) {
+                       if ((numents <= 0) ||
+                           ((::std::numeric_limits<size_t>::max()
+                                / sizeof(struct affentry)) < numents))
+                       {
                            char * err = pHMgr->encode_flag(aflag);
                            if (err) {
                                 HUNSPELL_WARNING(stderr, "error: line %d: bad entry number\n",
--- misc/hunspell-1.3.2/src/tools/munch.c	2010-02-27 21:49:49.000000000 +0100
+++ misc/build/hunspell-1.3.2/src/tools/munch.c	2011-05-18 15:53:53.427072106 +0200
@@ -4,6 +4,7 @@
 #include <string.h>
 #include <unistd.h>
 #include <stdlib.h>
+#include <stdint.h>
 #include <stdio.h>
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -233,10 +233,19 @@
                     case 1: { achar = *piece; break; }
                     case 2: { if (*piece == 'Y') ff = XPRODUCT; break; }
                     case 3: { numents = atoi(piece); 
-                              ptr = malloc(numents * sizeof(struct affent));
-                              ptr->achar = achar;
-                              ptr->xpflg = ff;
-	                      fprintf(stderr,"parsing %c entries %d\n",achar,numents);
+                              if ((numents < 0) ||
+                                  ((SIZE_MAX/sizeof(struct affent)) < numents))
+                              {
+                                 fprintf(stderr,
+                                     "Error: too many entries: %d\n", numents);
+                                 numents = 0;
+                              } else {
+                                 ptr = malloc(numents * sizeof(struct affent));
+                                 ptr->achar = achar;
+                                 ptr->xpflg = ff;
+                                 fprintf(stderr,"parsing %c entries %d\n",
+                                         achar,numents);
+                              }
                               break;
                             }
 		    default: break;
--- misc/hunspell-1.3.2/src/tools/unmunch.c	2010-02-23 15:53:29.000000000 +0100
+++ misc/build/hunspell-1.3.2/src/tools/unmunch.c	2011-05-18 20:53:43.843599726 +0200
@@ -6,6 +6,7 @@
 #include <string.h>
 #include <unistd.h>
 #include <stdlib.h>
+#include <stdint.h>
 #include <stdio.h>
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -158,10 +159,19 @@
                     case 1: { achar = *piece; break; }
                     case 2: { if (*piece == 'Y') ff = XPRODUCT; break; }
                     case 3: { numents = atoi(piece); 
-                              ptr = malloc(numents * sizeof(struct affent));
-                              ptr->achar = achar;
-                              ptr->xpflg = ff;
-	                      fprintf(stderr,"parsing %c entries %d\n",achar,numents);
+                              if ((numents < 0) ||
+                                  ((SIZE_MAX/sizeof(struct affent)) < numents))
+                              {
+                                 fprintf(stderr,
+                                     "Error: too many entries: %d\n", numents);
+                                 numents = 0;
+                              } else {
+                                 ptr = malloc(numents * sizeof(struct affent));
+                                 ptr->achar = achar;
+                                 ptr->xpflg = ff;
+                                 fprintf(stderr,"parsing %c entries %d\n",
+                                         achar,numents);
+                              }
                               break;
                             }
 		    default: break;