1 diff -u -p -Nr --exclude CVS gpdf-2.8.2.orig/goo/gmem.c gpdf-2.8.2/goo/gmem.c
2 --- goo/gmem.c 2003-04-01 21:47:07.000000000 +0200
3 +++ goo/gmem.c 2006-02-14 09:07:50.000000000 +0100
12 @@ -62,7 +63,7 @@ void *gmalloc(int size) {
14 unsigned long *trl, *p;
19 size1 = gMemDataSize(size);
20 if (!(mem = (char *)malloc(size1 + gMemHdrSize + gMemTrlSize))) {
21 @@ -84,7 +85,7 @@ void *gmalloc(int size) {
28 if (!(p = malloc(size))) {
29 fprintf(stderr, "Out of memory\n");
30 @@ -100,7 +101,7 @@ void *grealloc(void *p, int size) {
39 @@ -118,7 +119,7 @@ void *grealloc(void *p, int size) {
48 diff -u -p -Nr --exclude CVS gpdf-2.8.2.orig/splash/SplashXPathScanner.cc gpdf-2.8.2/splash/SplashXPathScanner.cc
49 --- splash/SplashXPathScanner.cc 2004-05-17 20:10:56.000000000 +0200
50 +++ splash/SplashXPathScanner.cc 2006-02-14 08:58:47.000000000 +0100
51 @@ -182,7 +182,7 @@ GBool SplashXPathScanner::getNextSpan(in
54 void SplashXPathScanner::computeIntersections(int y) {
55 - SplashCoord ySegMin, ySegMax, xx0, xx1;
56 + SplashCoord xSegMin, xSegMax, ySegMin, ySegMax, xx0, xx1;
60 @@ -232,19 +232,27 @@ void SplashXPathScanner::computeIntersec
61 } else if (seg->flags & splashXPathVert) {
65 - // intersection with top edge
66 - xx0 = seg->x0 + (y - seg->y0) * seg->dxdy;
67 + if (seg->x0 < seg->x1) {
71 - // x coord of segment endpoint with min y coord
72 - xx0 = (seg->flags & splashXPathFlip) ? seg->x1 : seg->x0;
76 - if (ySegMax >= y + 1) {
77 - // intersection with bottom edge
78 - xx1 = seg->x0 + (y + 1 - seg->y0) * seg->dxdy;
80 - // x coord of segment endpoint with max y coord
81 - xx1 = (seg->flags & splashXPathFlip) ? seg->x0 : seg->x1;
82 + // intersection with top edge
83 + xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy;
84 + // intersection with bottom edge
85 + xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy;
86 + // the segment may not actually extend to the top and/or bottom edges
87 + if (xx0 < xSegMin) {
89 + } else if (xx0 > xSegMax) {
92 + if (xx1 < xSegMin) {
94 + } else if (xx1 > xSegMax) {
99 diff -u -p -Nr --exclude CVS gpdf-2.8.2.orig/xpdf/JBIG2Stream.cc gpdf-2.8.2/xpdf/JBIG2Stream.cc
100 --- xpdf/JBIG2Stream.cc 2006-02-14 08:53:37.000000000 +0100
101 +++ xpdf/JBIG2Stream.cc 2006-02-14 09:16:42.000000000 +0100
102 @@ -683,7 +683,7 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA,
104 line = (wA + 7) >> 3;
106 - if (h < 0 || line <= 0 || h >= (INT_MAX-1) / line)
107 + if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line)
110 // need to allocate one extra guard byte for use in combine()
111 @@ -2262,6 +2262,15 @@ void JBIG2Stream::readHalftoneRegionSeg(
115 + if (w == 0 || h == 0 || w >= INT_MAX / h) {
116 + error(getPos(), "Bad bitmap size in JBIG2 halftone segment");
119 + if (gridH == 0 || gridW >= INT_MAX / gridH) {
120 + error(getPos(), "Bad grid size in JBIG2 halftone segment");
124 // get pattern dictionary
126 error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
127 diff -u -p -Nr --exclude CVS gpdf-2.8.2.orig/xpdf/Stream.h gpdf-2.8.2/xpdf/Stream.h
128 --- xpdf/Stream.h 2006-02-14 08:53:37.000000000 +0100
129 +++ xpdf/Stream.h 2006-02-14 09:26:48.000000000 +0100
130 @@ -534,7 +534,7 @@ private:
131 short getWhiteCode();
132 short getBlackCode();
133 short lookBits(int n);
134 - void eatBits(int n) { inputBits -= n; }
135 + void eatBits(int n) { if ((inputBits -= n) < 0) inputBits = 0; }
138 //------------------------------------------------------------------------