From acc33a6950031ac4a5c759d043d24df0cfa7e8b6 Mon Sep 17 00:00:00 2001
From: Jason Crain <jason@aquaticape.us>
Date: Sat, 20 Dec 2014 02:24:49 -0600
Subject: [PATCH] Check for invalid matrix in annotation

Bug #84990
---
 poppler/Gfx.cc | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc
index 64a9d7b..77693f9 100644
--- a/poppler/Gfx.cc
+++ b/poppler/Gfx.cc
@@ -37,6 +37,7 @@
 // Copyright (C) 2012 Even Rouault <even.rouault@mines-paris.org>
 // Copyright (C) 2012, 2013 Fabio D'Urso <fabiodurso@hotmail.it>
 // Copyright (C) 2012 Lu Wang <coolwanglu@gmail.com>
+// Copyright (C) 2014 Jason Crain <jason@aquaticape.us>
 //
 // To see a description of the changes please see the Changelog file that
 // came with your tarball or type make ChangeLog if you are building from git
@@ -5285,8 +5286,15 @@ void Gfx::drawAnnot(Object *str, AnnotBorder *border, AnnotColor *aColor,
     if (matrixObj.isArray() && matrixObj.arrayGetLength() >= 6) {
       for (i = 0; i < 6; ++i) {
 	matrixObj.arrayGet(i, &obj1);
-	m[i] = obj1.getNum();
-	obj1.free();
+	if (likely(obj1.isNum())) {
+	  m[i] = obj1.getNum();
+	  obj1.free();
+	} else {
+	  obj1.free();
+	  matrixObj.free();
+	  error(errSyntaxError, getPos(), "Bad form matrix");
+	  return;
+	}
       }
     } else {
       m[0] = 1; m[1] = 0;
-- 
2.1.0