++ } else {
++ delete codeTables;
++ return gFalse;
+ }
+ }
+ if (numInputSyms > UINT_MAX - numNewSyms) {
+@@ -1530,12 +1600,11 @@
+ k = 0;
+ inputSymbolDict = NULL;
+ for (i = 0; i < nRefSegs; ++i) {
+- if ((seg = findSegment(refSegs[i]))) {
+- if (seg->getType() == jbig2SegSymbolDict) {
+- inputSymbolDict = (JBIG2SymbolDict *)seg;
+- for (j = 0; j < inputSymbolDict->getSize(); ++j) {
+- bitmaps[k++] = inputSymbolDict->getBitmap(j);
+- }
++ seg = findSegment(refSegs[i]);
++ if (seg != NULL && seg->getType() == jbig2SegSymbolDict) {
++ inputSymbolDict = (JBIG2SymbolDict *)seg;
++ for (j = 0; j < inputSymbolDict->getSize(); ++j) {
++ bitmaps[k++] = inputSymbolDict->getBitmap(j);
+ }
+ }
+ }
+@@ -1753,6 +1822,10 @@
+
+ // create the symbol dict object
+ symbolDict = new JBIG2SymbolDict(segNum, numExSyms);
++ if (!symbolDict->isOk()) {
++ delete symbolDict;
++ goto syntaxError;
++ }
+
+ // exported symbol list
+ i = j = 0;
+@@ -1766,6 +1839,7 @@
+ if (i + run > numInputSyms + numNewSyms ||
+ (ex && j + run > numExSyms)) {
+ error(getPos(), "Too many exported symbols in JBIG2 symbol dictionary");
++ for ( ; j < numExSyms; ++j) symbolDict->setBitmap(j, NULL);
+ delete symbolDict;
+ goto syntaxError;
+ }
+@@ -1780,6 +1854,7 @@
+ }
+ if (j != numExSyms) {
+ error(getPos(), "Too few symbols in JBIG2 symbol dictionary");
++ for ( ; j < numExSyms; ++j) symbolDict->setBitmap(j, NULL);
+ delete symbolDict;
+ goto syntaxError;
+ }
+@@ -2095,18 +2170,20 @@
+
+ gfree(syms);
+
+- // combine the region bitmap into the page bitmap
+- if (imm) {
+- if (pageH == 0xffffffff && y + h > curPageH) {
+- pageBitmap->expand(y + h, pageDefPixel);
+- }
+- pageBitmap->combine(bitmap, x, y, extCombOp);
+- delete bitmap;
++ if (bitmap) {
++ // combine the region bitmap into the page bitmap
++ if (imm) {
++ if (pageH == 0xffffffff && y + h > curPageH) {
++ pageBitmap->expand(y + h, pageDefPixel);
++ }
++ pageBitmap->combine(bitmap, x, y, extCombOp);
++ delete bitmap;
+
+- // store the region bitmap
+- } else {
+- bitmap->setSegNum(segNum);
+- segments->append(bitmap);
++ // store the region bitmap
++ } else {
++ bitmap->setSegNum(segNum);
++ segments->append(bitmap);
++ }
+ }
+
+ // clean up the Huffman decoder
+@@ -2159,6 +2236,10 @@
+
+ // allocate the bitmap
+ bitmap = new JBIG2Bitmap(0, w, h);
++ if (!bitmap->isOk()) {
++ delete bitmap;
++ return NULL;
++ }
+ if (defPixel) {
+ bitmap->clearToOne();
+ } else {
+@@ -2235,73 +2316,84 @@
+ ri = 0;
+ }
+ if (ri) {
++ GBool decodeSuccess;
+ if (huff) {
+- huffDecoder->decodeInt(&rdw, huffRDWTable);
+- huffDecoder->decodeInt(&rdh, huffRDHTable);
+- huffDecoder->decodeInt(&rdx, huffRDXTable);
+- huffDecoder->decodeInt(&rdy, huffRDYTable);
+- huffDecoder->decodeInt(&bmSize, huffRSizeTable);
++ decodeSuccess = huffDecoder->decodeInt(&rdw, huffRDWTable);
++ decodeSuccess = decodeSuccess && huffDecoder->decodeInt(&rdh, huffRDHTable);
++ decodeSuccess = decodeSuccess && huffDecoder->decodeInt(&rdx, huffRDXTable);
++ decodeSuccess = decodeSuccess && huffDecoder->decodeInt(&rdy, huffRDYTable);
++ decodeSuccess = decodeSuccess && huffDecoder->decodeInt(&bmSize, huffRSizeTable);
+ huffDecoder->reset();
+ arithDecoder->start();
+ } else {
+- arithDecoder->decodeInt(&rdw, iardwStats);
+- arithDecoder->decodeInt(&rdh, iardhStats);
+- arithDecoder->decodeInt(&rdx, iardxStats);
+- arithDecoder->decodeInt(&rdy, iardyStats);
++ decodeSuccess = arithDecoder->decodeInt(&rdw, iardwStats);
++ decodeSuccess = decodeSuccess && arithDecoder->decodeInt(&rdh, iardhStats);
++ decodeSuccess = decodeSuccess && arithDecoder->decodeInt(&rdx, iardxStats);
++ decodeSuccess = decodeSuccess && arithDecoder->decodeInt(&rdy, iardyStats);
++ }
++
++ if (decodeSuccess && syms[symID])
++ {
++ refDX = ((rdw >= 0) ? rdw : rdw - 1) / 2 + rdx;
++ refDY = ((rdh >= 0) ? rdh : rdh - 1) / 2 + rdy;
++
++ symbolBitmap =
++ readGenericRefinementRegion(rdw + syms[symID]->getWidth(),
++ rdh + syms[symID]->getHeight(),
++ templ, gFalse, syms[symID],
++ refDX, refDY, atx, aty);
+ }
+- refDX = ((rdw >= 0) ? rdw : rdw - 1) / 2 + rdx;
+- refDY = ((rdh >= 0) ? rdh : rdh - 1) / 2 + rdy;
+-
+- symbolBitmap =
+- readGenericRefinementRegion(rdw + syms[symID]->getWidth(),
+- rdh + syms[symID]->getHeight(),
+- templ, gFalse, syms[symID],
+- refDX, refDY, atx, aty);
+ //~ do we need to use the bmSize value here (in Huffman mode)?
+ } else {
+ symbolBitmap = syms[symID];
+ }
+
+- // combine the symbol bitmap into the region bitmap
+- //~ something is wrong here - refCorner shouldn't degenerate into
+- //~ two cases
+- bw = symbolBitmap->getWidth() - 1;
+- bh = symbolBitmap->getHeight() - 1;
+- if (transposed) {
+- switch (refCorner) {
+- case 0: // bottom left
+- bitmap->combine(symbolBitmap, tt, s, combOp);
+- break;
+- case 1: // top left
+- bitmap->combine(symbolBitmap, tt, s, combOp);
+- break;
+- case 2: // bottom right
+- bitmap->combine(symbolBitmap, tt - bw, s, combOp);
+- break;
+- case 3: // top right
+- bitmap->combine(symbolBitmap, tt - bw, s, combOp);
+- break;
++ if (symbolBitmap) {
++ // combine the symbol bitmap into the region bitmap
++ //~ something is wrong here - refCorner shouldn't degenerate into
++ //~ two cases
++ bw = symbolBitmap->getWidth() - 1;
++ bh = symbolBitmap->getHeight() - 1;
++ if (transposed) {
++ switch (refCorner) {
++ case 0: // bottom left
++ bitmap->combine(symbolBitmap, tt, s, combOp);
++ break;
++ case 1: // top left
++ bitmap->combine(symbolBitmap, tt, s, combOp);
++ break;
++ case 2: // bottom right
++ bitmap->combine(symbolBitmap, tt - bw, s, combOp);
++ break;
++ case 3: // top right
++ bitmap->combine(symbolBitmap, tt - bw, s, combOp);
++ break;
++ }
++ s += bh;
++ } else {
++ switch (refCorner) {
++ case 0: // bottom left
++ bitmap->combine(symbolBitmap, s, tt - bh, combOp);
++ break;
++ case 1: // top left
++ bitmap->combine(symbolBitmap, s, tt, combOp);
++ break;
++ case 2: // bottom right
++ bitmap->combine(symbolBitmap, s, tt - bh, combOp);
++ break;
++ case 3: // top right
++ bitmap->combine(symbolBitmap, s, tt, combOp);
++ break;
++ }
++ s += bw;
+ }
+- s += bh;
+- } else {
+- switch (refCorner) {
+- case 0: // bottom left
+- bitmap->combine(symbolBitmap, s, tt - bh, combOp);
+- break;
+- case 1: // top left
+- bitmap->combine(symbolBitmap, s, tt, combOp);
+- break;
+- case 2: // bottom right
+- bitmap->combine(symbolBitmap, s, tt - bh, combOp);
+- break;
+- case 3: // top right
+- bitmap->combine(symbolBitmap, s, tt, combOp);
+- break;
++ if (ri) {
++ delete symbolBitmap;
+ }
+- s += bw;
+- }
+- if (ri) {
+- delete symbolBitmap;
++ } else {
++ // NULL symbolBitmap only happens on error
++ delete bitmap;
++ return NULL;
+ }
+ }
+
+@@ -2431,11 +2523,12 @@
+ error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
+ return;
+ }
+- if (!(seg = findSegment(refSegs[0])) ||
+- seg->getType() != jbig2SegPatternDict) {
++ seg = findSegment(refSegs[0]);
++ if (seg == NULL || seg->getType() != jbig2SegPatternDict) {
+ error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
+ return;
+ }
++
+ patternDict = (JBIG2PatternDict *)seg;
+ bpp = 0;
+ i = 1;
+@@ -2591,6 +2684,8 @@
+ // read the bitmap
+ bitmap = readGenericBitmap(mmr, w, h, templ, tpgdOn, gFalse,
+ NULL, atx, aty, mmr ? length - 18 : 0);
++ if (!bitmap)
++ return;
+
+ // combine the region bitmap into the page bitmap
+ if (imm) {
+@@ -2616,7 +2711,7 @@
+ int *codingLine, int *a0i, int w) {
+ if (a1 > codingLine[*a0i]) {
+ if (a1 > w) {
+- error(getPos(), "JBIG2 MMR row is wrong length ({0:d})", a1);
++ error(getPos(), "JBIG2 MMR row is wrong length (%d)", a1);
+ a1 = w;
+ }
+ if ((*a0i & 1) ^ blackPixels) {
+@@ -2630,7 +2725,7 @@
+ int *codingLine, int *a0i, int w) {
+ if (a1 > codingLine[*a0i]) {
+ if (a1 > w) {
+- error(getPos(), "JBIG2 MMR row is wrong length ({0:d})", a1);
++ error(getPos(), "JBIG2 MMR row is wrong length (%d)", a1);
+ a1 = w;
+ }
+ if ((*a0i & 1) ^ blackPixels) {
+@@ -2657,13 +2752,17 @@
+ JBIG2Bitmap *bitmap;
+ GBool ltp;
+ Guint ltpCX, cx, cx0, cx1, cx2;
+- JBIG2BitmapPtr cxPtr0, cxPtr1;
+- JBIG2BitmapPtr atPtr0, atPtr1, atPtr2, atPtr3;
++ JBIG2BitmapPtr cxPtr0 = {0}, cxPtr1 = {0};
++ JBIG2BitmapPtr atPtr0 = {0}, atPtr1 = {0}, atPtr2 = {0}, atPtr3 = {0};
+ int *refLine, *codingLine;
+ int code1, code2, code3;
+ int x, y, a0i, b1i, blackPixels, pix, i;
+
+ bitmap = new JBIG2Bitmap(0, w, h);
++ if (!bitmap->isOk()) {
++ delete bitmap;
++ return NULL;
++ }
+ bitmap->clearToZero();
+
+ //----- MMR decode
+@@ -2682,7 +2781,7 @@
+ // ---> max refLine size = w + 2
+ codingLine = (int *)gmallocn(w + 1, sizeof(int));
+ refLine = (int *)gmallocn(w + 2, sizeof(int));
+- codingLine[0] = w;
++ for (i = 0; i < w + 1; ++i) codingLine[i] = w;
+
+ for (y = 0; y < h; ++y) {
+
+@@ -3093,8 +3192,8 @@
+ return;
+ }
+ if (nRefSegs == 1) {
+- if (!(seg = findSegment(refSegs[0])) ||
+- seg->getType() != jbig2SegBitmap) {
++ seg = findSegment(refSegs[0]);
++ if (seg == NULL || seg->getType() != jbig2SegBitmap) {
+ error(getPos(), "Bad bitmap reference in JBIG2 generic refinement segment");
+ return;
+ }
+@@ -3143,11 +3242,24 @@
+ JBIG2Bitmap *bitmap;
+ GBool ltp;
+ Guint ltpCX, cx, cx0, cx2, cx3, cx4, tpgrCX0, tpgrCX1, tpgrCX2;
+- JBIG2BitmapPtr cxPtr0, cxPtr1, cxPtr2, cxPtr3, cxPtr4, cxPtr5, cxPtr6;
+- JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2;
++ JBIG2BitmapPtr cxPtr0 = {0};
++ JBIG2BitmapPtr cxPtr1 = {0};
++ JBIG2BitmapPtr cxPtr2 = {0};
++ JBIG2BitmapPtr cxPtr3 = {0};
++ JBIG2BitmapPtr cxPtr4 = {0};
++ JBIG2BitmapPtr cxPtr5 = {0};
++ JBIG2BitmapPtr cxPtr6 = {0};
++ JBIG2BitmapPtr tpgrCXPtr0 = {0};
++ JBIG2BitmapPtr tpgrCXPtr1 = {0};
++ JBIG2BitmapPtr tpgrCXPtr2 = {0};
+ int x, y, pix;
+
+ bitmap = new JBIG2Bitmap(0, w, h);
++ if (!bitmap->isOk())
++ {
++ delete bitmap;
++ return NULL;
++ }
+ bitmap->clearToZero();
+
+ // set up the typical row context
+@@ -3332,6 +3444,12 @@
+ }
+ pageBitmap = new JBIG2Bitmap(0, pageW, curPageH);
+
++ if (!pageBitmap->isOk()) {
++ delete pageBitmap;
++ pageBitmap = NULL;
++ return;
++ }
++
+ // default pixel value
+ if (pageDefPixel) {
+ pageBitmap->clearToOne();