From 4e68bf998f886cab8a45fa315164d8ba7aa0dee4 Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Tue, 20 Jun 2017 23:43:23 +0200
Subject: Fix crash on broken documents

Fixes bug #101524
---
 poppler/JBIG2Stream.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'poppler/JBIG2Stream.cc')

diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
index d26ba02b..067fb7f0 100644
--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
@@ -15,7 +15,7 @@
 //
 // Copyright (C) 2006 Raj Kumar <rkumar@archive.org>
 // Copyright (C) 2006 Paul Walmsley <paul@booyaka.com>
-// Copyright (C) 2006-2010, 2012, 2014-2016 Albert Astals Cid <aacid@kde.org>
+// Copyright (C) 2006-2010, 2012, 2014-2017 Albert Astals Cid <aacid@kde.org>
 // Copyright (C) 2009 David Benjamin <davidben@mit.edu>
 // Copyright (C) 2011 Edward Jiang <ejiang@google.com>
 // Copyright (C) 2012 William Bader <williambader@hotmail.com>
@@ -1304,7 +1304,7 @@ Goffset JBIG2Stream::getPos() {
 int JBIG2Stream::getChars(int nChars, Guchar *buffer) {
   int n, i;
 
-  if (nChars <= 0) {
+  if (nChars <= 0 || !dataPtr) {
     return 0;
   }
   if (dataEnd - dataPtr < nChars) {
-- 
cgit v1.2.3


From 112b8ab16128c6e7f80fe7c1890f7b63abd85cce Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Tue, 20 Jun 2017 23:51:16 +0200
Subject: Fix crash in broken documents

Fixes bug #101525
---
 poppler/JBIG2Stream.cc | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'poppler/JBIG2Stream.cc')

diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
index 067fb7f0..48535883 100644
--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
@@ -760,6 +760,10 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint x, Guint y, Guint wA, Guint hA) {
   JBIG2Bitmap *slice;
   Guint xx, yy;
 
+  if (!data) {
+      return nullptr;
+  }
+
   slice = new JBIG2Bitmap(0, wA, hA);
   if (slice->isOk()) {
     slice->clearToZero();
@@ -3827,6 +3831,10 @@ JBIG2Bitmap *JBIG2Stream::readGenericRefinementRegion(int w, int h,
   JBIG2BitmapPtr tpgrCXPtr2 = {0};
   int x, y, pix;
 
+  if (!refBitmap) {
+      return nullptr;
+  }
+
   bitmap = new JBIG2Bitmap(0, w, h);
   if (!bitmap->isOk())
   {
-- 
cgit v1.2.3


From 55db66c69fd56826b8523710046deab1a8d14ba2 Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Wed, 21 Jun 2017 00:55:20 +0200
Subject: Fix crash in malformed documents

---
 poppler/JBIG2Stream.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'poppler/JBIG2Stream.cc')

diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
index 48535883..d89108c8 100644
--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
@@ -896,7 +896,7 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y,
   oneByte = x0 == ((x1 - 1) & ~7);
 
   for (yy = y0; yy < y1; ++yy) {
-    if (unlikely(y + yy) >= h)
+    if (unlikely((y + yy >= h) || (y + yy < 0)))
       continue;
 
     // one byte per line -- need to mask both left and right side
-- 
cgit v1.2.3