From a5b6ac7044593f6e538966dfdee53e6fe8db3820 Mon Sep 17 00:00:00 2001
From: Jason Crain <jason@aquaticape.us>
Date: Sat, 20 Dec 2014 02:24:49 -0600
Subject: [PATCH] Check for invalid matrix in annotation

https://bugs.freedesktop.org/show_bug.cgi?id=84990
---
 poppler/Gfx.cc | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc
index 64a9d7b..1c97807 100644
--- a/poppler/Gfx.cc
+++ b/poppler/Gfx.cc
@@ -5288,8 +5288,15 @@ void Gfx::drawAnnot(Object *str, AnnotBorder *border, AnnotColor *aColor,
     if (matrixObj.isArray() && matrixObj.arrayGetLength() >= 6) {
       for (i = 0; i < 6; ++i) {
 	matrixObj.arrayGet(i, &obj1);
-	m[i] = obj1.getNum();
-	obj1.free();
+	if (likely(obj1.isNum())) {
+	  m[i] = obj1.getNum();
+	  obj1.free();
+	} else {
+	  obj1.free();
+	  matrixObj.free();
+	  error(errSyntaxError, getPos(), "Bad form matrix");
+	  return;
+	}
       }
     } else {
       m[0] = 1; m[1] = 0;
-- 
2.1.3