diff -Nur poppler-0.4.2/poppler/JBIG2Stream.cc poppler-0.4.2.new/poppler/JBIG2Stream.cc
--- poppler-0.4.2/poppler/JBIG2Stream.cc	2006-04-12 08:34:15.000000000 +0000
+++ poppler-0.4.2.new/poppler/JBIG2Stream.cc	2006-04-12 08:35:22.000000000 +0000
@@ -683,7 +683,7 @@
   h = hA;
   line = (wA + 7) >> 3;
 
-  if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
+  if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
     error(-1, "invalid width/height");
     data = NULL;
     return;
@@ -2269,6 +2269,15 @@
     goto eofError;
   }
 
+  if (w == 0 || h == 0 || w >= INT_MAX / h) {
+    error(getPos(), "Bad bitmap size in JBIG2 halftone segment");
+    return;
+  }
+  if (gridH == 0 || gridW >= INT_MAX / gridH) {
+    error(getPos(), "Bad grid size in JBIG2 halftone segment");
+    return;
+  }
+
   // get pattern dictionary
   if (nRefSegs != 1) {
     error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
diff -Nur poppler-0.4.2/poppler/Stream.h poppler-0.4.2.new/poppler/Stream.h
--- poppler-0.4.2/poppler/Stream.h	2006-04-12 08:34:15.000000000 +0000
+++ poppler-0.4.2.new/poppler/Stream.h	2006-04-12 08:34:37.000000000 +0000
@@ -532,7 +532,7 @@
   short getWhiteCode();
   short getBlackCode();
   short lookBits(int n);
-  void eatBits(int n) { inputBits -= n; }
+  void eatBits(int n) { if ((inputBits -= n) < 0) inputBits = 0; }
 };
 
 #ifndef ENABLE_LIBJPEG
diff -Nur poppler-0.4.2/splash/SplashXPathScanner.cc poppler-0.4.2.new/splash/SplashXPathScanner.cc
--- poppler-0.4.2/splash/SplashXPathScanner.cc	2005-03-03 19:46:00.000000000 +0000
+++ poppler-0.4.2.new/splash/SplashXPathScanner.cc	2006-04-12 08:34:37.000000000 +0000
@@ -182,7 +182,7 @@
 }
 
 void SplashXPathScanner::computeIntersections(int y) {
-  SplashCoord ySegMin, ySegMax, xx0, xx1;
+  SplashCoord xSegMin, xSegMax, ySegMin, ySegMax, xx0, xx1;
   SplashXPathSeg *seg;
   int i, j;
 
@@ -232,19 +232,27 @@
     } else if (seg->flags & splashXPathVert) {
       xx0 = xx1 = seg->x0;
     } else {
-      if (ySegMin <= y) {
-	// intersection with top edge
-	xx0 = seg->x0 + (y - seg->y0) * seg->dxdy;
+      if (seg->x0 < seg->x1) {
+	xSegMin = seg->x0;
+	xSegMax = seg->x1;
       } else {
-	// x coord of segment endpoint with min y coord
-	xx0 = (seg->flags & splashXPathFlip) ? seg->x1 : seg->x0;
+	xSegMin = seg->x1;
+	xSegMax = seg->x0;
       }
-      if (ySegMax >= y + 1) {
-	// intersection with bottom edge
-	xx1 = seg->x0 + (y + 1 - seg->y0) * seg->dxdy;
-      } else {
-	// x coord of segment endpoint with max y coord
-	xx1 = (seg->flags & splashXPathFlip) ? seg->x0 : seg->x1;
+      // intersection with top edge
+      xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy;
+      // intersection with bottom edge
+      xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy;
+      // the segment may not actually extend to the top and/or bottom edges
+      if (xx0 < xSegMin) {
+	xx0 = xSegMin;
+      } else if (xx0 > xSegMax) {
+	xx0 = xSegMax;
+      }
+      if (xx1 < xSegMin) {
+	xx1 = xSegMin;
+      } else if (xx1 > xSegMax) {
+	xx1 = xSegMax;
       }
     }
     if (xx0 < xx1) {