From 92e41685dcef538a7fc669ca357ce9f448a8078e Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Sat, 7 Feb 2015 21:54:39 +0100
Subject: Fix crash in malformed file from bug #85275


diff --git a/poppler/SplashOutputDev.cc b/poppler/SplashOutputDev.cc
index 97af5c4..6640ab5 100644
--- a/poppler/SplashOutputDev.cc
+++ b/poppler/SplashOutputDev.cc
@@ -4048,8 +4048,8 @@ void SplashOutputDev::setSoftMask(GfxState *state, double *bbox,
   p = softMask->getDataPtr() + ty * softMask->getRowSize() + tx;
   int xMax = tBitmap->getWidth();
   int yMax = tBitmap->getHeight();
-  if (xMax + tx > bitmap->getWidth()) xMax = bitmap->getWidth() - tx;
-  if (yMax + ty > bitmap->getHeight()) yMax = bitmap->getHeight() - ty;
+  if (xMax > bitmap->getWidth() - tx) xMax = bitmap->getWidth() - tx;
+  if (yMax > bitmap->getHeight() - ty) yMax = bitmap->getHeight() - ty;
   for (y = 0; y < yMax; ++y) {
     for (x = 0; x < xMax; ++x) {
       if (alpha) {
diff --git a/splash/Splash.cc b/splash/Splash.cc
index fde272a..142516f 100644
--- a/splash/Splash.cc
+++ b/splash/Splash.cc
@@ -11,7 +11,7 @@
 // All changes made under the Poppler project to this file are licensed
 // under GPL version 2 or later
 //
-// Copyright (C) 2005-2014 Albert Astals Cid <aacid@kde.org>
+// Copyright (C) 2005-2015 Albert Astals Cid <aacid@kde.org>
 // Copyright (C) 2005 Marco Pesenti Gritti <mpg@redhat.com>
 // Copyright (C) 2010-2014 Thomas Freitag <Thomas.Freitag@alfa.de>
 // Copyright (C) 2010 Christian Feuersänger <cfeuersaenger@googlemail.com>
@@ -5214,6 +5214,10 @@ SplashError Splash::composite(SplashBitmap *src, int xSrc, int ySrc,
     return splashErrModeMismatch;
   }
 
+  if (unlikely(!bitmap->data)) {
+    return splashErrZeroImage;
+  }
+
   if(src->getSeparationList()->getLength() > bitmap->getSeparationList()->getLength()) {
     for (x = bitmap->getSeparationList()->getLength(); x < src->getSeparationList()->getLength(); x++)
       bitmap->getSeparationList()->append(((GfxSeparationColorSpace *)src->getSeparationList()->get(x))->copy());
@@ -5783,6 +5787,10 @@ SplashError Splash::blitTransparent(SplashBitmap *src, int xSrc, int ySrc,
     return splashErrModeMismatch;
   }
 
+  if (unlikely(!bitmap->data)) {
+    return splashErrZeroImage;
+  }
+
   switch (bitmap->mode) {
   case splashModeMono1:
     for (y = 0; y < h; ++y) {
diff --git a/splash/SplashBitmap.cc b/splash/SplashBitmap.cc
index ac344f1..e886683 100644
--- a/splash/SplashBitmap.cc
+++ b/splash/SplashBitmap.cc
@@ -11,7 +11,7 @@
 // All changes made under the Poppler project to this file are licensed
 // under GPL version 2 or later
 //
-// Copyright (C) 2006, 2009, 2010, 2012 Albert Astals Cid <aacid@kde.org>
+// Copyright (C) 2006, 2009, 2010, 2012, 2015 Albert Astals Cid <aacid@kde.org>
 // Copyright (C) 2007 Ilmari Heikkinen <ilmari.heikkinen@gmail.com>
 // Copyright (C) 2009 Shen Liang <shenzhuxi@gmail.com>
 // Copyright (C) 2009 Stefan Thomas <thomas@eload24.com>
@@ -275,7 +275,7 @@ SplashError SplashBitmap::writeAlphaPGMFile(char *fileName) {
 void SplashBitmap::getPixel(int x, int y, SplashColorPtr pixel) {
   SplashColorPtr p;
 
-  if (y < 0 || y >= height || x < 0 || x >= width) {
+  if (y < 0 || y >= height || x < 0 || x >= width || !data) {
     return;
   }
   switch (mode) {
-- 
cgit v0.10.2