// End a page.
virtual void endPage();
---- SplashOutputDev.cc 2006-11-12 12:07:06.000000000 +0100
-+++ SplashOutputDev.cc 2006-11-12 12:09:36.000000000 +0100
-@@ -696,7 +696,7 @@
- nT3Fonts = 0;
- }
-
--void SplashOutputDev::startPage(int pageNum, GfxState *state) {
-+void SplashOutputDev::startPage(int pageNum, GfxState *state, double x1,double y1,double x2,double y2) {
- int w, h;
- double *ctm;
- SplashCoord mat[6];
--- TextOutputDev.cc 2006-11-12 12:22:53.000000000 +0100
+++ TextOutputDev.cc 2006-11-12 12:25:03.000000000 +0100
@@ -3805,7 +3805,7 @@
#include <math.h>
#include "gfile.h"
#include "GlobalParams.h"
+@@ -702,7 +703,7 @@
+ nT3Fonts = 0;
+ }
+
+-void SplashOutputDev::startPage(int pageNum, GfxState *state) {
++void SplashOutputDev::startPage(int pageNum, GfxState *state, double x1,double y1,double x2,double y2) {
+ int w, h;
+ double *ctm;
+ SplashCoord mat[6];
+@@ -2646,9 +2647,9 @@
+
+ softMask = new SplashBitmap(bitmap->getWidth(), bitmap->getHeight(),
+ 1, splashModeMono8, gFalse);
+- memset(softMask->getDataPtr(), 0,
+- softMask->getRowSize() * softMask->getHeight());
++ memset(softMask->getDataPtr(), 0x00, softMask->getRowSize()*softMask->getHeight());
+ p = softMask->getDataPtr() + ty * softMask->getRowSize() + tx;
++ if (tx<softMask->getWidth() && ty<softMask->getHeight())
+ for (y = 0; y < tBitmap->getHeight(); ++y) {
+ for (x = 0; x < tBitmap->getWidth(); ++x) {
+ tBitmap->getPixel(x, y, color);
--- SplashFontFile.cc 2007-09-09 12:33:00.000000000 +0200
+++ SplashFontFile.cc 2007-09-09 12:33:07.000000000 +0200
@@ -11,9 +11,7 @@
// get the symbol bitmaps
syms = (JBIG2Bitmap **)gmallocn(numSyms, sizeof(JBIG2Bitmap *));
+--- xpdf/SplashXPathScanner.cc.orig 2010-01-21 16:00:38.000000000 -0800
++++ xpdf/SplashXPathScanner.cc 2010-01-21 16:10:31.000000000 -0800
+@@ -394,10 +394,10 @@
+ *p++ &= mask;
+ xx = (xx & ~7) + 8;
+ }
+- for (; xx + 7 <= xx0; xx += 8) {
++ for (; xx + 7 < xx0; xx += 8) {
+ *p++ = 0x00;
+ }
+- if (xx <= xx0) {
++ if (xx < xx0) {
+ *p &= 0xff >> (xx0 & 7);
+ }
+ }
+@@ -417,10 +417,10 @@
+ *p++ &= mask;
+ xx = (xx & ~7) + 8;
+ }
+- for (; xx + 7 <= xx0; xx += 8) {
++ for (; xx + 7 < xx0; xx += 8) {
+ *p++ = 0x00;
+ }
+- if (xx <= xx0) {
++ if (xx < xx0) {
+ *p &= 0xff >> (xx0 & 7);
+ }
+ }
+--- xpdf/CharCodeToUnicode.cc.orig 2010-01-25 12:43:00.000000000 -0800
++++ xpdf/CharCodeToUnicode.cc 2010-01-28 14:14:53.000000000 -0800
+@@ -208,13 +208,13 @@
+ int nBits) {
+ PSTokenizer *pst;
+ char tok1[256], tok2[256], tok3[256];
+- int nDigits, n1, n2, n3;
++ int maxCode, n1, n2, n3;
+ CharCode i;
+ CharCode code1, code2;
+ GString *name;
+ FILE *f;
+
+- nDigits = nBits / 4;
++ maxCode = (nBits == 8) ? 0xff : (nBits == 16) ? 0xffff : 0xffffffff;
+ pst = new PSTokenizer(getCharFunc, data);
+ pst->getToken(tok1, sizeof(tok1), &n1);
+ while (pst->getToken(tok2, sizeof(tok2), &n2)) {
+@@ -241,9 +241,9 @@
+ error(-1, "Illegal entry in bfchar block in ToUnicode CMap");
+ break;
+ }
+- if (!(n1 == 2 + nDigits && tok1[0] == '<' && tok1[n1 - 1] == '>' &&
++ if (!(tok1[0] == '<' && tok1[n1 - 1] == '>' &&
+ tok2[0] == '<' && tok2[n2 - 1] == '>')) {
+- error(-1, "Illegal entry in bfchar block in ToUnicode CMap");
++ error(-1, "Illegal entry in bfchar block in ToUnicode CMap.");
+ continue;
+ }
+ tok1[n1 - 1] = tok2[n2 - 1] = '\0';
+@@ -251,6 +251,9 @@
+ error(-1, "Illegal entry in bfchar block in ToUnicode CMap");
+ continue;
+ }
++ if (code1 > maxCode) {
++ error(-1, "Invalid entry in bfchar block in ToUnicode CMap");
++ }
+ addMapping(code1, tok2 + 1, n2 - 2, 0);
+ }
+ pst->getToken(tok1, sizeof(tok1), &n1);
+@@ -266,8 +269,8 @@
+ error(-1, "Illegal entry in bfrange block in ToUnicode CMap");
+ break;
+ }
+- if (!(n1 == 2 + nDigits && tok1[0] == '<' && tok1[n1 - 1] == '>' &&
+- n2 == 2 + nDigits && tok2[0] == '<' && tok2[n2 - 1] == '>')) {
++ if (!(tok1[0] == '<' && tok1[n1 - 1] == '>' &&
++ tok2[0] == '<' && tok2[n2 - 1] == '>')) {
+ error(-1, "Illegal entry in bfrange block in ToUnicode CMap");
+ continue;
+ }
+@@ -277,6 +280,10 @@
+ error(-1, "Illegal entry in bfrange block in ToUnicode CMap");
+ continue;
+ }
++ if (code1 > maxCode || code2 > maxCode) {
++ error(-1, "Invalid entry in bfrange block in ToUnicode CMap");
++ }
++
+ if (!strcmp(tok3, "[")) {
+ i = 0;
+ while (pst->getToken(tok1, sizeof(tok1), &n1) &&
+--- xpdf/Decrypt.cc.orig 2010-01-28 14:19:51.000000000 -0800
++++ xpdf/Decrypt.cc 2010-02-02 16:04:53.000000000 -0800
+@@ -596,6 +596,7 @@
+ s->bufIdx = 0;
+ if (last) {
+ n = s->buf[15];
++ if(!n || n>16) n=16;
+ for (i = 15; i >= n; --i) {
+ s->buf[i] = s->buf[i-n];
+ }
+--- xpdf/Catalog.cc.orig 2010-02-02 16:17:24.000000000 -0800
++++ xpdf/Catalog.cc 2010-02-02 16:18:48.000000000 -0800
+@@ -193,7 +193,7 @@
+ if (!kids.isArray()) {
+ error(-1, "Kids object (page %d) is wrong type (%s)",
+ start+1, kids.getTypeName());
+- goto err1;
++ return start;
+ }
+ for (i = 0; i < kids.arrayGetLength(); ++i) {
+ kids.arrayGetNF(i, &kidRef);
+--- xpdf/SplashOutputDev.cc.orig 2010-03-25 14:06:37.000000000 -0700
++++ xpdf/SplashOutputDev.cc 2010-03-25 14:07:23.000000000 -0700
+@@ -13,6 +13,7 @@
+@@ -509,7 +510,14 @@
+ glyphY = glyphYA;
+ glyphW = glyphWA;
+ glyphH = glyphHA;
+- validBBox = validBBoxA;
++
++ if(glyphW<=0 || glyphH<=0 || (double)glyphH*(double)glyphW>536870912) {
++ glyphW = glyphH = 128;
++ validBBox = gFalse;
++ } else {
++ validBBox = validBBoxA;
++ }
++
+ if (aa) {
+ glyphSize = glyphW * glyphH;
+ } else {