diff -urN poppler-0.4.5~/goo/gmem.c poppler-0.4.5/goo/gmem.c --- poppler-0.4.5~/goo/gmem.c 2005-05-01 23:54:55.000000000 +0200 +++ poppler-0.4.5/goo/gmem.c 2006-02-15 10:54:47.000000000 +0100 @@ -11,6 +11,7 @@ #include #include #include +#include #include "gmem.h" #ifdef DEBUG_MEM @@ -62,7 +63,7 @@ int lst; unsigned long *trl, *p; - if (size == 0) + if (size <= 0) return NULL; size1 = gMemDataSize(size); if (!(mem = (char *)malloc(size1 + gMemHdrSize + gMemTrlSize))) { @@ -84,7 +85,7 @@ #else void *p; - if (size == 0) + if (size <= 0) return NULL; if (!(p = malloc(size))) { fprintf(stderr, "Out of memory\n"); @@ -100,7 +101,7 @@ void *q; size_t oldSize; - if (size == 0) { + if (size <= 0) { if (p) gfree(p); return NULL; @@ -118,7 +119,7 @@ #else void *q; - if (size == 0) { + if (size <= 0) { if (p) free(p); return NULL; diff -urN poppler-0.4.5~/poppler/JBIG2Stream.cc poppler-0.4.5/poppler/JBIG2Stream.cc --- poppler-0.4.5~/poppler/JBIG2Stream.cc 2006-01-10 19:53:54.000000000 +0100 +++ poppler-0.4.5/poppler/JBIG2Stream.cc 2006-02-15 11:06:06.000000000 +0100 @@ -683,7 +683,7 @@ h = hA; line = (wA + 7) >> 3; - if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) { + if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { error(-1, "invalid width/height"); data = NULL; return; @@ -701,7 +701,7 @@ h = bitmap->h; line = bitmap->line; - if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) { + if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { error(-1, "invalid width/height"); data = NULL; return; @@ -2268,6 +2268,14 @@ !readUWord(&stepX) || !readUWord(&stepY)) { goto eofError; } + if (w == 0 || h == 0 || w >= INT_MAX / h) { + error(getPos(), "Bad bitmap size in JBIG2 halftone segment"); + return; + } + if (gridH == 0 || gridW >= INT_MAX / gridH) { + error(getPos(), "Bad grid size in JBIG2 halftone segment"); + return; + } // get pattern dictionary if (nRefSegs != 1) { diff -urN poppler-0.4.5~/poppler/Stream.cc poppler-0.4.5/poppler/Stream.cc --- poppler-0.4.5~/poppler/Stream.cc 2006-01-10 19:53:54.000000000 +0100 +++ poppler-0.4.5/poppler/Stream.cc 2006-02-15 11:11:36.000000000 +0100 @@ -426,7 +426,8 @@ if (width <= 0 || nComps <= 0 || nBits <= 0 || nComps >= INT_MAX/nBits || - width >= INT_MAX/nComps/nBits) { + width >= INT_MAX/nComps/nBits || + nVals * nBits + 7 < 0) { return; } nVals = width * nComps; @@ -3078,6 +3079,7 @@ numACHuffTables = index+1; tbl = &acHuffTables[index]; } else { + index &= 0x0f; if (index >= numDCHuffTables) numDCHuffTables = index+1; tbl = &dcHuffTables[index]; diff -urN poppler-0.4.5~/poppler/Stream.h poppler-0.4.5/poppler/Stream.h --- poppler-0.4.5~/poppler/Stream.h 2005-12-12 21:41:14.000000000 +0100 +++ poppler-0.4.5/poppler/Stream.h 2006-02-15 11:07:28.000000000 +0100 @@ -532,7 +532,7 @@ short getWhiteCode(); short getBlackCode(); short lookBits(int n); - void eatBits(int n) { inputBits -= n; } + void eatBits(int n) { if ((inputBits -= n) < 0) inputBits = 0; } }; #ifndef ENABLE_LIBJPEG diff -urN poppler-0.4.5~/splash/SplashXPathScanner.cc poppler-0.4.5/splash/SplashXPathScanner.cc --- poppler-0.4.5~/splash/SplashXPathScanner.cc 2005-03-03 20:46:00.000000000 +0100 +++ poppler-0.4.5/splash/SplashXPathScanner.cc 2006-02-15 11:03:49.000000000 +0100 @@ -182,7 +182,7 @@ } void SplashXPathScanner::computeIntersections(int y) { - SplashCoord ySegMin, ySegMax, xx0, xx1; + SplashCoord xSegMin, xSegMax, ySegMin, ySegMax, xx0, xx1; SplashXPathSeg *seg; int i, j; @@ -232,19 +232,27 @@ } else if (seg->flags & splashXPathVert) { xx0 = xx1 = seg->x0; } else { - if (ySegMin <= y) { - // intersection with top edge - xx0 = seg->x0 + (y - seg->y0) * seg->dxdy; + if (seg->x0 < seg->x1) { + xSegMin = seg->x0; + xSegMax = seg->x1; } else { - // x coord of segment endpoint with min y coord - xx0 = (seg->flags & splashXPathFlip) ? seg->x1 : seg->x0; + xSegMin = seg->x1; + xSegMax = seg->x0; } - if (ySegMax >= y + 1) { - // intersection with bottom edge - xx1 = seg->x0 + (y + 1 - seg->y0) * seg->dxdy; - } else { - // x coord of segment endpoint with max y coord - xx1 = (seg->flags & splashXPathFlip) ? seg->x0 : seg->x1; + // intersection with top edge + xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy; + // intersection with bottom edge + xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy; + // the segment may not actually extend to the top and/or bottom edges + if (xx0 < xSegMin) { + xx0 = xSegMin; + } else if (xx0 > xSegMax) { + xx0 = xSegMax; + } + if (xx1 < xSegMin) { + xx1 = xSegMin; + } else if (xx1 > xSegMax) { + xx1 = xSegMax; } } if (xx0 < xx1) {