+--- xpdf/Gfx.cc.orig 2009-03-08 17:10:40.000000000 +0100
++++ xpdf/Gfx.cc 2009-03-08 17:18:23.000000000 +0100
+@@ -3188,8 +3188,11 @@
+ u, (int)(sizeof(u) / sizeof(Unicode)), &uLen,
+ &dx, &dy, &originX, &originY);
+ dx = dx * state->getFontSize() + state->getCharSpace();
+- if (n == 1 && *p == ' ') {
+- dx += state->getWordSpace();
++ if (n == 1 && (*p == ' ' || *p == 0)) {
++ double w=state->getWordSpace();
++ if (w==0 && dx==0)
++ w=state->getFontSize()/3; // workaround for zero word space
++ dx += w;
+ }
+ dx *= state->getHorizScaling();
+ dy *= state->getFontSize();
+@@ -3824,6 +3833,7 @@
+ out->beginTransparencyGroup(state, bbox, blendingColorSpace,
+ isolated, knockout, softMask);
+ }
++ GfxState*old_state = state;
+
+ // set new base matrix
+ for (i = 0; i < 6; ++i) {
+@@ -3835,6 +3845,9 @@
+ display(str, gFalse);
+
+ if (softMask || transpGroup) {
++ // restore graphics state
++ while(state != old_state)
++ restoreState();
+ out->endTransparencyGroup(state);
+ }
+
+--- TextOutputDev.h.orig 2009-10-07 17:00:29.000000000 -0700
++++ TextOutputDev.h 2009-10-07 17:01:50.000000000 -0700
+@@ -170,6 +170,7 @@
+ friend class TextFlow;
+ friend class TextWordList;
+ friend class TextPage;
++ friend class XMLOutputDev;
+ };
+
+ //------------------------------------------------------------------------
+@@ -578,7 +579,7 @@
+ //----- initialization and control
+
+ // Start a page.
+- virtual void startPage(int pageNum, GfxState *state);
++ virtual void startPage(int pageNum, GfxState *state, double x1,double y1,double x2,double y2);
+
+ // End a page.
+ virtual void endPage();
+--- xpdf/JBIG2Stream.cc.orig 2010-01-08 17:17:18.000000000 -0800
++++ xpdf/JBIG2Stream.cc 2010-01-21 15:28:26.000000000 -0800
+@@ -1514,11 +1514,14 @@
+ }
+
+ // compute symbol code length
+- symCodeLen = 1;
+- i = (numInputSyms + numNewSyms) >> 1;
+- while (i) {
+- ++symCodeLen;
+- i >>= 1;
++ symCodeLen = 0;
++ i = 1;
++ while (i < numInputSyms + numNewSyms) {
++ ++symCodeLen;
++ i <<= 1;
++ }
++ if (huff && symCodeLen == 0) {
++ symCodeLen = 1;
+ }
+
+ // get the input symbol bitmaps
+@@ -1921,6 +1924,9 @@
+ ++symCodeLen;
+ i <<= 1;
+ }
++ if (huff && symCodeLen == 0) {
++ symCodeLen = 1;
++ }
+
+ // get the symbol bitmaps
+ syms = (JBIG2Bitmap **)gmallocn(numSyms, sizeof(JBIG2Bitmap *));
+--- xpdf/SplashXPathScanner.cc.orig 2010-01-21 16:00:38.000000000 -0800
++++ xpdf/SplashXPathScanner.cc 2010-01-21 16:10:31.000000000 -0800
+@@ -394,10 +394,10 @@
+ *p++ &= mask;
+ xx = (xx & ~7) + 8;
+ }
+- for (; xx + 7 <= xx0; xx += 8) {
++ for (; xx + 7 < xx0; xx += 8) {
+ *p++ = 0x00;
+ }
+- if (xx <= xx0) {
++ if (xx < xx0) {
+ *p &= 0xff >> (xx0 & 7);
+ }
+ }
+@@ -417,10 +417,10 @@
+ *p++ &= mask;
+ xx = (xx & ~7) + 8;
+ }
+- for (; xx + 7 <= xx0; xx += 8) {
++ for (; xx + 7 < xx0; xx += 8) {
+ *p++ = 0x00;
+ }
+- if (xx <= xx0) {
++ if (xx < xx0) {
+ *p &= 0xff >> (xx0 & 7);
+ }
+ }
+--- xpdf/CharCodeToUnicode.cc.orig 2010-01-25 12:43:00.000000000 -0800
++++ xpdf/CharCodeToUnicode.cc 2010-01-28 14:14:53.000000000 -0800
+@@ -208,13 +208,13 @@
+ int nBits) {
+ PSTokenizer *pst;
+ char tok1[256], tok2[256], tok3[256];
+- int nDigits, n1, n2, n3;
++ int maxCode, n1, n2, n3;
+ CharCode i;
+ CharCode code1, code2;
+ GString *name;
+ FILE *f;
+
+- nDigits = nBits / 4;
++ maxCode = (nBits == 8) ? 0xff : (nBits == 16) ? 0xffff : 0xffffffff;
+ pst = new PSTokenizer(getCharFunc, data);
+ pst->getToken(tok1, sizeof(tok1), &n1);
+ while (pst->getToken(tok2, sizeof(tok2), &n2)) {
+@@ -241,9 +241,9 @@
+ error(-1, "Illegal entry in bfchar block in ToUnicode CMap");
+ break;
+ }
+- if (!(n1 == 2 + nDigits && tok1[0] == '<' && tok1[n1 - 1] == '>' &&
++ if (!(tok1[0] == '<' && tok1[n1 - 1] == '>' &&
+ tok2[0] == '<' && tok2[n2 - 1] == '>')) {
+- error(-1, "Illegal entry in bfchar block in ToUnicode CMap");
++ error(-1, "Illegal entry in bfchar block in ToUnicode CMap.");
+ continue;
+ }
+ tok1[n1 - 1] = tok2[n2 - 1] = '\0';
+@@ -251,6 +251,9 @@
+ error(-1, "Illegal entry in bfchar block in ToUnicode CMap");
+ continue;
+ }
++ if (code1 > maxCode) {
++ error(-1, "Invalid entry in bfchar block in ToUnicode CMap");
++ }
+ addMapping(code1, tok2 + 1, n2 - 2, 0);
+ }
+ pst->getToken(tok1, sizeof(tok1), &n1);
+@@ -266,8 +269,8 @@
+ error(-1, "Illegal entry in bfrange block in ToUnicode CMap");
+ break;
+ }
+- if (!(n1 == 2 + nDigits && tok1[0] == '<' && tok1[n1 - 1] == '>' &&
+- n2 == 2 + nDigits && tok2[0] == '<' && tok2[n2 - 1] == '>')) {
++ if (!(tok1[0] == '<' && tok1[n1 - 1] == '>' &&
++ tok2[0] == '<' && tok2[n2 - 1] == '>')) {
+ error(-1, "Illegal entry in bfrange block in ToUnicode CMap");
+ continue;
+ }
+@@ -277,6 +280,10 @@
+ error(-1, "Illegal entry in bfrange block in ToUnicode CMap");
+ continue;
+ }
++ if (code1 > maxCode || code2 > maxCode) {
++ error(-1, "Invalid entry in bfrange block in ToUnicode CMap");
++ }
++
+ if (!strcmp(tok3, "[")) {
+ i = 0;
+ while (pst->getToken(tok1, sizeof(tok1), &n1) &&
+--- xpdf/Decrypt.cc.orig 2010-01-28 14:19:51.000000000 -0800
++++ xpdf/Decrypt.cc 2010-02-02 16:04:53.000000000 -0800
+@@ -596,6 +596,7 @@
+ s->bufIdx = 0;
+ if (last) {
+ n = s->buf[15];
++ if(!n || n>16) n=16;
+ for (i = 15; i >= n; --i) {
+ s->buf[i] = s->buf[i-n];
+ }
+--- xpdf/Catalog.cc.orig 2010-02-02 16:17:24.000000000 -0800
++++ xpdf/Catalog.cc 2010-02-02 16:18:48.000000000 -0800
+@@ -193,7 +193,7 @@
+ if (!kids.isArray()) {
+ error(-1, "Kids object (page %d) is wrong type (%s)",
+ start+1, kids.getTypeName());
+- goto err1;
++ return start;
+ }
+ for (i = 0; i < kids.arrayGetLength(); ++i) {
+ kids.arrayGetNF(i, &kidRef);
+--- xpdf/SplashOutputDev.cc.orig 2010-03-25 14:06:37.000000000 -0700
++++ xpdf/SplashOutputDev.cc 2010-03-25 14:07:23.000000000 -0700
+@@ -13,6 +13,7 @@
+@@ -509,7 +510,14 @@
+ glyphY = glyphYA;
+ glyphW = glyphWA;
+ glyphH = glyphHA;
+- validBBox = validBBoxA;
++
++ if(glyphW<=0 || glyphH<=0 || (double)glyphH*(double)glyphW>536870912) {
++ glyphW = glyphH = 128;
++ validBBox = gFalse;
++ } else {
++ validBBox = validBBoxA;
++ }
++
+ if (aa) {
+ glyphSize = glyphW * glyphH;
+ } else {