+--- xpdf/JBIG2Stream.cc.orig 2010-01-08 17:17:18.000000000 -0800
++++ xpdf/JBIG2Stream.cc 2010-01-21 15:28:26.000000000 -0800
+@@ -1514,11 +1514,14 @@
+ }
+
+ // compute symbol code length
+- symCodeLen = 1;
+- i = (numInputSyms + numNewSyms) >> 1;
+- while (i) {
+- ++symCodeLen;
+- i >>= 1;
++ symCodeLen = 0;
++ i = 1;
++ while (i < numInputSyms + numNewSyms) {
++ ++symCodeLen;
++ i <<= 1;
++ }
++ if (huff && symCodeLen == 0) {
++ symCodeLen = 1;
+ }
+
+ // get the input symbol bitmaps
+@@ -1921,6 +1924,9 @@
+ ++symCodeLen;
+ i <<= 1;
+ }
++ if (huff && symCodeLen == 0) {
++ symCodeLen = 1;
++ }
+
+ // get the symbol bitmaps
+ syms = (JBIG2Bitmap **)gmallocn(numSyms, sizeof(JBIG2Bitmap *));
+--- xpdf/SplashXPathScanner.cc.orig 2010-01-21 16:00:38.000000000 -0800
++++ xpdf/SplashXPathScanner.cc 2010-01-21 16:10:31.000000000 -0800
+@@ -394,10 +394,10 @@
+ *p++ &= mask;
+ xx = (xx & ~7) + 8;
+ }
+- for (; xx + 7 <= xx0; xx += 8) {
++ for (; xx + 7 < xx0; xx += 8) {
+ *p++ = 0x00;
+ }
+- if (xx <= xx0) {
++ if (xx < xx0) {
+ *p &= 0xff >> (xx0 & 7);
+ }
+ }
+@@ -417,10 +417,10 @@
+ *p++ &= mask;
+ xx = (xx & ~7) + 8;
+ }
+- for (; xx + 7 <= xx0; xx += 8) {
++ for (; xx + 7 < xx0; xx += 8) {
+ *p++ = 0x00;
+ }
+- if (xx <= xx0) {
++ if (xx < xx0) {
+ *p &= 0xff >> (xx0 & 7);
+ }
+ }
+--- xpdf/CharCodeToUnicode.cc.orig 2010-01-25 12:43:00.000000000 -0800
++++ xpdf/CharCodeToUnicode.cc 2010-01-28 14:14:53.000000000 -0800
+@@ -208,13 +208,13 @@
+ int nBits) {
+ PSTokenizer *pst;
+ char tok1[256], tok2[256], tok3[256];
+- int nDigits, n1, n2, n3;
++ int maxCode, n1, n2, n3;
+ CharCode i;
+ CharCode code1, code2;
+ GString *name;
+ FILE *f;
+
+- nDigits = nBits / 4;
++ maxCode = (nBits == 8) ? 0xff : (nBits == 16) ? 0xffff : 0xffffffff;
+ pst = new PSTokenizer(getCharFunc, data);
+ pst->getToken(tok1, sizeof(tok1), &n1);
+ while (pst->getToken(tok2, sizeof(tok2), &n2)) {
+@@ -241,9 +241,9 @@
+ error(-1, "Illegal entry in bfchar block in ToUnicode CMap");
+ break;
+ }
+- if (!(n1 == 2 + nDigits && tok1[0] == '<' && tok1[n1 - 1] == '>' &&
++ if (!(tok1[0] == '<' && tok1[n1 - 1] == '>' &&
+ tok2[0] == '<' && tok2[n2 - 1] == '>')) {
+- error(-1, "Illegal entry in bfchar block in ToUnicode CMap");
++ error(-1, "Illegal entry in bfchar block in ToUnicode CMap.");
+ continue;
+ }
+ tok1[n1 - 1] = tok2[n2 - 1] = '\0';
+@@ -251,6 +251,9 @@
+ error(-1, "Illegal entry in bfchar block in ToUnicode CMap");
+ continue;
+ }
++ if (code1 > maxCode) {
++ error(-1, "Invalid entry in bfchar block in ToUnicode CMap");
++ }
+ addMapping(code1, tok2 + 1, n2 - 2, 0);
+ }
+ pst->getToken(tok1, sizeof(tok1), &n1);
+@@ -266,8 +269,8 @@
+ error(-1, "Illegal entry in bfrange block in ToUnicode CMap");
+ break;
+ }
+- if (!(n1 == 2 + nDigits && tok1[0] == '<' && tok1[n1 - 1] == '>' &&
+- n2 == 2 + nDigits && tok2[0] == '<' && tok2[n2 - 1] == '>')) {
++ if (!(tok1[0] == '<' && tok1[n1 - 1] == '>' &&
++ tok2[0] == '<' && tok2[n2 - 1] == '>')) {
+ error(-1, "Illegal entry in bfrange block in ToUnicode CMap");
+ continue;
+ }
+@@ -277,6 +280,10 @@
+ error(-1, "Illegal entry in bfrange block in ToUnicode CMap");
+ continue;
+ }
++ if (code1 > maxCode || code2 > maxCode) {
++ error(-1, "Invalid entry in bfrange block in ToUnicode CMap");
++ }
++
+ if (!strcmp(tok3, "[")) {
+ i = 0;
+ while (pst->getToken(tok1, sizeof(tok1), &n1) &&
+--- xpdf/Decrypt.cc.orig 2010-01-28 14:19:51.000000000 -0800
++++ xpdf/Decrypt.cc 2010-02-02 16:04:53.000000000 -0800
+@@ -596,6 +596,7 @@
+ s->bufIdx = 0;
+ if (last) {
+ n = s->buf[15];
++ if(!n || n>16) n=16;
+ for (i = 15; i >= n; --i) {
+ s->buf[i] = s->buf[i-n];
+ }
+--- xpdf/Catalog.cc.orig 2010-02-02 16:17:24.000000000 -0800
++++ xpdf/Catalog.cc 2010-02-02 16:18:48.000000000 -0800
+@@ -193,7 +193,7 @@
+ if (!kids.isArray()) {
+ error(-1, "Kids object (page %d) is wrong type (%s)",
+ start+1, kids.getTypeName());
+- goto err1;
++ return start;
+ }
+ for (i = 0; i < kids.arrayGetLength(); ++i) {
+ kids.arrayGetNF(i, &kidRef);
+--- xpdf/SplashOutputDev.cc.orig 2010-03-25 14:06:37.000000000 -0700
++++ xpdf/SplashOutputDev.cc 2010-03-25 14:07:23.000000000 -0700
+@@ -13,6 +13,7 @@
+@@ -509,7 +510,14 @@
+ glyphY = glyphYA;
+ glyphW = glyphWA;
+ glyphH = glyphHA;
+- validBBox = validBBoxA;
++
++ if(glyphW<=0 || glyphH<=0 || (double)glyphH*(double)glyphW>536870912) {
++ glyphW = glyphH = 128;
++ validBBox = gFalse;
++ } else {
++ validBBox = validBBoxA;
++ }
++
+ if (aa) {
+ glyphSize = glyphW * glyphH;
+ } else {