--- poppler-0.18.4/poppler/Function.cc
+++ poppler-0.18.4/poppler/Function.cc
@@ -13,7 +13,7 @@
 // All changes made under the Poppler project to this file are licensed
 // under GPL version 2 or later
 //
-// Copyright (C) 2006, 2008-2010 Albert Astals Cid <aacid@kde.org>
+// Copyright (C) 2006, 2008-2010, 2013 Albert Astals Cid <aacid@kde.org>
 // Copyright (C) 2006 Jeff Muizelaar <jeff@infidigm.net>
 // Copyright (C) 2010 Christian Feuersänger <cfeuersaenger@googlemail.com>
 // Copyright (C) 2011 Andrea Canciani <ranma42@gmail.com>
@@ -1002,6 +1002,10 @@ void PSStack::copy(int n) {
     error(-1, "Stack underflow in PostScript function");
     return;
   }
+  if (unlikely(sp - n > psStackSize)) {
+    error(-1, "Stack underflow in PostScript function");
+    return;
+  }
   if (!checkOverflow(n)) {
     return;
   }
--- poppler-0.18.4/poppler/Stream.cc
+++ poppler-0.18.4/poppler/Stream.cc
@@ -2132,7 +2133,8 @@ GBool CCITTFaxStream::isBinary(GBool las
 
 // clip [-256,511] --> [0,255]
 #define dctClipOffset 256
-static Guchar dctClip[768];
+#define dctClipLength 768
+static Guchar dctClip[dctClipLength];
 static int dctClipInit = 0;
 
 // zig zag decode map
@@ -3078,7 +3080,12 @@ void DCTStream::transformDataUnit(Gushor
 
   // convert to 8-bit integers
   for (i = 0; i < 64; ++i) {
-    dataOut[i] = dctClip[dctClipOffset + 128 + ((dataIn[i] + 8) >> 4)];
+    const int ix = dctClipOffset + 128 + ((dataIn[i] + 8) >> 4);
+    if (unlikely(ix < 0 || ix >= dctClipLength)) {
+      dataOut[i] = 0;
+    } else {
+      dataOut[i] = dctClip[ix];
+    }
   }
 }
 
--- poppler-0.18.4/splash/Splash.cc
+++ poppler-0.18.4/splash/Splash.cc
@@ -14,7 +14,7 @@
 // Copyright (C) 2005-2011 Albert Astals Cid <aacid@kde.org>
 // Copyright (C) 2005 Marco Pesenti Gritti <mpg@redhat.com>
 // Copyright (C) 2010, 2011 Thomas Freitag <Thomas.Freitag@alfa.de>
-// Copyright (C) 2010 Christian Feuersänger <cfeuersaenger@googlemail.com>
+// Copyright (C) 2010 Christian FeuersÃ¤nger <cfeuersaenger@googlemail.com>
 // Copyright (C) 2011 William Bader <williambader@hotmail.com>
 //
 // To see a description of the changes please see the Changelog file that
@@ -1521,11 +1521,14 @@ SplashPath *Splash::makeDashedPath(Splas
   lineDashStartPhase -= (SplashCoord)i * lineDashTotal;
   lineDashStartOn = gTrue;
   lineDashStartIdx = 0;
-  while (lineDashStartPhase >= state->lineDash[lineDashStartIdx]) {
+  while (lineDashStartIdx < state->lineDashLength && lineDashStartPhase >= state->lineDash[lineDashStartIdx]) {
     lineDashStartOn = !lineDashStartOn;
     lineDashStartPhase -= state->lineDash[lineDashStartIdx];
     ++lineDashStartIdx;
   }
+  if (unlikely(lineDashStartIdx == state->lineDashLength)) {
+    return new SplashPath();
+  }
 
   dPath = new SplashPath();