[alpine-aports] main/poppler: add Debian Buster patches, mostly security

Message ID 20190616105802.23114-1-brebs@sent.com
State New
Headers show
Series
  • [alpine-aports] main/poppler: add Debian Buster patches, mostly security
Related show

Commit Message

Paul Bredbury June 16, 2019, 10:58 a.m. UTC
Tweak builddir, so default_prepare finds the files to patch.
---
 main/poppler/APKBUILD                         |  49 +++++--
 main/poppler/CVE-2018-16646-1.patch           |  61 ++++++++
 main/poppler/CVE-2018-16646-2.patch           |  25 ++++
 main/poppler/CVE-2018-16646-3.patch           |  28 ++++
 main/poppler/CVE-2018-20481.patch             |  63 ++++++++
 main/poppler/CVE-2018-20551.patch             |  51 +++++++
 main/poppler/CVE-2018-20662.patch             |  46 ++++++
 main/poppler/CVE-2019-10872.patch             | 136 ++++++++++++++++++
 main/poppler/CVE-2019-10873.patch             |  31 ++++
 main/poppler/CVE-2019-12293.patch             |  41 ++++++
 main/poppler/CVE-2019-7310.patch              |  29 ++++
 main/poppler/CVE-2019-9200.patch              |  24 ++++
 main/poppler/CVE-2019-9631.patch              | 100 +++++++++++++
 .../bug924029-goostring-null-pointers.patch   |  97 +++++++++++++
 ...ate-PopplerInputStream-with-length-0.patch |  36 +++++
 main/poppler/page-ustring.patch               |  29 ++++
 16 files changed, 837 insertions(+), 9 deletions(-)
 create mode 100644 main/poppler/CVE-2018-16646-1.patch
 create mode 100644 main/poppler/CVE-2018-16646-2.patch
 create mode 100644 main/poppler/CVE-2018-16646-3.patch
 create mode 100644 main/poppler/CVE-2018-20481.patch
 create mode 100644 main/poppler/CVE-2018-20551.patch
 create mode 100644 main/poppler/CVE-2018-20662.patch
 create mode 100644 main/poppler/CVE-2019-10872.patch
 create mode 100644 main/poppler/CVE-2019-10873.patch
 create mode 100644 main/poppler/CVE-2019-12293.patch
 create mode 100644 main/poppler/CVE-2019-7310.patch
 create mode 100644 main/poppler/CVE-2019-9200.patch
 create mode 100644 main/poppler/CVE-2019-9631.patch
 create mode 100644 main/poppler/bug924029-goostring-null-pointers.patch
 create mode 100644 main/poppler/glib-Don-t-create-PopplerInputStream-with-length-0.patch
 create mode 100644 main/poppler/page-ustring.patch

Patch

diff --git a/main/poppler/APKBUILD b/main/poppler/APKBUILD
index 95f69f97bd..319d64704b 100644
--- a/main/poppler/APKBUILD
+++ b/main/poppler/APKBUILD
@@ -1,7 +1,7 @@ 
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=poppler
 pkgver=0.71.0
-pkgrel=0
+pkgrel=1
 pkgdesc="PDF rendering library based on xpdf 3.0"
 url="https://poppler.freedesktop.org/"
 arch="all"
@@ -14,13 +14,28 @@  makedepends="$depends_dev cmake libjpeg-turbo-dev cairo-dev libxml2-dev
 	openjpeg-dev openjpeg-tools libpng-dev tiff-dev zlib-dev"
 subpackages="$pkgname-dev $pkgname-doc $pkgname-utils $pkgname-glib
 	"
-source="https://poppler.freedesktop.org/poppler-$pkgver.tar.xz"
-builddir="$srcdir/$pkgname-$pkgver/build"
+source="https://poppler.freedesktop.org/poppler-$pkgver.tar.xz
+	glib-Don-t-create-PopplerInputStream-with-length-0.patch
+	page-ustring.patch
+	CVE-2018-16646-1.patch
+	CVE-2018-16646-2.patch
+	CVE-2018-16646-3.patch
+	CVE-2018-20481.patch
+	CVE-2018-20551.patch
+	CVE-2018-20662.patch
+	CVE-2019-7310.patch
+	CVE-2019-9200.patch
+	CVE-2019-9631.patch
+	CVE-2019-10873.patch
+	bug924029-goostring-null-pointers.patch
+	CVE-2019-10872.patch
+	CVE-2019-12293.patch"
+builddir="$srcdir/$pkgname-$pkgver"
 
 prepare() {
 	local _linked_pkg=poppler-qt4
 	local _linked_apkbuild="$startdir"/../$_linked_pkg/APKBUILD
-	mkdir -p "$builddir"
+	mkdir -p "$builddir/build"
 	cd "$builddir"
 	if  [ -f "$_linked_apkbuild" ]; then
 		local _linked_ver=$( . "$_linked_apkbuild"; echo "$pkgver")
@@ -29,14 +44,15 @@  prepare() {
 			return 1
 		fi
 	fi
+
+	default_prepare
 }
 
 build() {
-	cd "$builddir"
-
 	# JPEG2000Stream.cc:20:10: fatal error: openjpeg.h: No such file
-	sed -e "/^#include/s/openjpeg\.h/openjpeg-2.3\/openjpeg.h/" -i ../poppler/JPEG2000Stream.cc
+	sed -e "/^#include/s/openjpeg\.h/openjpeg-2.3\/openjpeg.h/" -i poppler/JPEG2000Stream.cc
 
+	cd build
 	cmake .. \
 		-DCMAKE_INSTALL_PREFIX=/usr \
 		-DCMAKE_INSTALL_LIBDIR=lib \
@@ -47,7 +63,7 @@  build() {
 }
 
 package() {
-	cd "$builddir"
+	cd build
 	make DESTDIR="$pkgdir" install
 }
 
@@ -73,4 +89,19 @@  _cpp() {
 		"$subpkgdir"/usr/lib/
 }
 
-sha512sums="8e0ce95e7b58c37761c36a20f1282e63373a9557bf9f746ce2936562f12648506043d9559cf816944aa238814fc1b3f3a3c0a6cb002fd214b067e399bcc6ab1e  poppler-0.71.0.tar.xz"
+sha512sums="8e0ce95e7b58c37761c36a20f1282e63373a9557bf9f746ce2936562f12648506043d9559cf816944aa238814fc1b3f3a3c0a6cb002fd214b067e399bcc6ab1e  poppler-0.71.0.tar.xz
+e3d4747cfc1b171ec64d7492c92ed42494c6bf8ad4f40b3fe3fcd439034efd7ca16d6ed703d85dffd3625650c70aa51cbaff7a292f6b357e19ef2dc5ef742296  glib-Don-t-create-PopplerInputStream-with-length-0.patch
+4f1b9dbf9f075a09a78640a060537995b753f9287b06cdbb2a30a750e57638f677e27fa1c6dd24772cd29dd746d4f21f3ce3b51596179355f9514ea824e17a27  page-ustring.patch
+b7401aa7303467bbf3551156b7ab0d5041eb528034bc1268f67da074a60e7e685a674ab4aca3235c5fe2c7cbe388d4c822c27a2f103fbb9ff85af68d5c42f0b0  CVE-2018-16646-1.patch
+b9dbda18a862d234eb17d44f6a728a73b32712aac32a01637cb4472cdbad2dc6f1f06bd2fd61db1e68de37ecfca4c07191db577a841e7afbe6d0236dea473562  CVE-2018-16646-2.patch
+91ebd6af4cd0645a4346e1f016333e3fcb5073df4c73942bb9f87c393fbbfcfe768170464eec6a118d56bfffc361fb06dc2988a064ab2a864f6fa430294634b7  CVE-2018-16646-3.patch
+b866abf13ce3e0e87744dd99b90da1b5926875a5b3ae3b335ffd7f9736f025a3e631312ffc624f825328b3a1dd5012117a5af534436da0c072b67908316cdb88  CVE-2018-20481.patch
+f9fdb49fe6ac420db1634fbee0977d867154ce2dd34f6b4c5f77591a859b1ecc2f2ea6c926a7b8fa76f3bf69dee9abd48f7a6d3653e1d4d447338d4025587fa0  CVE-2018-20551.patch
+5fe4c3604f9d943a5162182c402f8e96262b94ee38702dba1d893e311434d56eb9965b58f7dce4718a399ab190f9e34d38a1bb970283d5847dbfe30d5f04a426  CVE-2018-20662.patch
+599a6742cf762906cc8f0eeb8b516798214095222ff630b27470b5fbb1abca99cfe9f8196f9e55ee9cf5df1a871859f6e13ece7247573248b88d5e65946aeef4  CVE-2019-7310.patch
+2487ada6cfdd4a9dceaf0b741044b7cc2a2605fed5ed99a90192e2c0c0ee6a2a9b30264821ffab39e03a85d7d47bd91066e759e16c44d4e21c89025f1b98f98f  CVE-2019-9200.patch
+e16a8971ea30debf9efc8abf81a0a43c7ceaa403dbb423c4f45cbb00237acf0e4ee13fb9117f258f245c204fadc32d51fa0c73259cea2913d9d2afac2cc8ad8f  CVE-2019-9631.patch
+47f50e99d902b1ab80e004def6b99f7e2cd01e96d6a3081aef8cc3f473ed057adbcb69b905e89e5ece080d43ea465c92c2890cf6cc88e29465a0fcf7dd89cd36  CVE-2019-10873.patch
+b034f8559fce065d671e1c9c8d8d0b12fbf70f423fd8dbb0018ae12520c6b27be67f4a16a02a183c2b8c09505305b0979f9a6326c33171e19d45c4d3e53b0487  bug924029-goostring-null-pointers.patch
+1aa9791c9c559b78b1dc33d6e72c941d4d8a461a90eb92f8674f13881d19aa38e20fbc9104baf9ddb21b9ec6bd4b8c3bda3a01ce6f34a932229e6327bedf1910  CVE-2019-10872.patch
+5494d9056dd672b6379d82f41f0e895037631da781685f067316ffc3ae789589a83580553d0dd2e4ed29fd1fd1d4a779e87a96a914fc7a043e60e4a145b73258  CVE-2019-12293.patch"
diff --git a/main/poppler/CVE-2018-16646-1.patch b/main/poppler/CVE-2018-16646-1.patch
new file mode 100644
index 0000000000..fb2ac27488
--- /dev/null
+++ b/main/poppler/CVE-2018-16646-1.patch
@@ -0,0 +1,61 @@ 
+From 3d35d209c19c1d3b09b794a0c863ba5de44a9c0a Mon Sep 17 00:00:00 2001
+From: Marek Kasik <mkasik@redhat.com>
+Date: Mon, 29 Oct 2018 17:44:47 +0100
+Subject: [PATCH] Avoid cycles in PDF parsing
+
+Mark objects being processed in Parser::makeStream() as being processed
+and check the mark when entering this method to avoid processing
+of the same object recursively.
+---
+ poppler/Parser.cc | 15 +++++++++++++++
+ poppler/XRef.h    |  1 +
+ 2 files changed, 16 insertions(+)
+
+diff --git a/poppler/Parser.cc b/poppler/Parser.cc
+index bd4845ab..8f48efbe 100644
+--- a/poppler/Parser.cc
++++ b/poppler/Parser.cc
+@@ -197,6 +197,18 @@ Stream *Parser::makeStream(Object &&dict, Guchar *fileKey,
+   Stream *str;
+   Goffset length;
+   Goffset pos, endPos;
++  XRefEntry *entry;
++
++  if (xref && (entry = xref->getEntry(objNum, false))) {
++    if (!entry->getFlag(XRefEntry::Parsing) ||
++        (objNum == 0 && objGen == 0)) {
++      entry->setFlag(XRefEntry::Parsing, true);
++    } else {
++      error(errSyntaxError, getPos(),
++            "Object '{0:d} {1:d} obj' is being already parsed", objNum, objGen);
++      return nullptr;
++    }
++  }
+ 
+   // get stream start position
+   lexer->skipToNextLine();
+@@ -278,6 +290,9 @@ Stream *Parser::makeStream(Object &&dict, Guchar *fileKey,
+   // get filters
+   str = str->addFilters(str->getDict(), recursion);
+ 
++  if (entry)
++    entry->setFlag(XRefEntry::Parsing, false);
++
+   return str;
+ }
+ 
+diff --git a/poppler/XRef.h b/poppler/XRef.h
+index 11ee5e03..2eb2f9fd 100644
+--- a/poppler/XRef.h
++++ b/poppler/XRef.h
+@@ -65,6 +65,7 @@ struct XRefEntry {
+   enum Flag {
+     // Regular flags
+     Updated,     // Entry was modified
++    Parsing,     // Entry is currently being parsed
+ 
+     // Special flags -- available only after xref->scanSpecialFlags() is run
+     Unencrypted, // Entry is stored in unencrypted form (meaningless in unencrypted documents)
+-- 
+2.18.1
+
diff --git a/main/poppler/CVE-2018-16646-2.patch b/main/poppler/CVE-2018-16646-2.patch
new file mode 100644
index 0000000000..3514b30c2b
--- /dev/null
+++ b/main/poppler/CVE-2018-16646-2.patch
@@ -0,0 +1,25 @@ 
+From 89fccf45fc5bfca3756102e6bec1950ec1d436a9 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Sat, 3 Nov 2018 01:45:55 +0100
+Subject: [PATCH] initialize entry
+
+---
+ poppler/Parser.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/poppler/Parser.cc b/poppler/Parser.cc
+index 733cdbb0..87745414 100644
+--- a/poppler/Parser.cc
++++ b/poppler/Parser.cc
+@@ -198,7 +198,7 @@ Stream *Parser::makeStream(Object &&dict, Guchar *fileKey,
+   Stream *str;
+   Goffset length;
+   Goffset pos, endPos;
+-  XRefEntry *entry;
++  XRefEntry *entry = nullptr;
+ 
+   if (xref && (entry = xref->getEntry(objNum, false))) {
+     if (!entry->getFlag(XRefEntry::Parsing) ||
+-- 
+2.18.1
+
diff --git a/main/poppler/CVE-2018-16646-3.patch b/main/poppler/CVE-2018-16646-3.patch
new file mode 100644
index 0000000000..62d303e2b5
--- /dev/null
+++ b/main/poppler/CVE-2018-16646-3.patch
@@ -0,0 +1,28 @@ 
+From 08572e1bdca03baed694dd9828bb2b878865e669 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Sat, 3 Nov 2018 12:21:41 +0100
+Subject: [PATCH] Parser::makeStream: Fix crash on malformed files
+
+fixes oss-fuzz/11244
+---
+ poppler/Parser.cc | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/poppler/Parser.cc b/poppler/Parser.cc
+index 87745414..2cf2bd12 100644
+--- a/poppler/Parser.cc
++++ b/poppler/Parser.cc
+@@ -230,6 +230,10 @@ Stream *Parser::makeStream(Object &&dict, Guchar *fileKey,
+     length = 0;
+   }
+ 
++  // the above dictLookup can cause a xref reconstruction if the file is damaged
++  // so we need to update the entry pointer
++  entry = xref ? xref->getEntry(objNum, false) : nullptr;
++
+   // check for length in damaged file
+   if (xref && xref->getStreamEnd(pos, &endPos)) {
+     length = endPos - pos;
+-- 
+2.18.1
+
diff --git a/main/poppler/CVE-2018-20481.patch b/main/poppler/CVE-2018-20481.patch
new file mode 100644
index 0000000000..4402e964ad
--- /dev/null
+++ b/main/poppler/CVE-2018-20481.patch
@@ -0,0 +1,63 @@ 
+From 39a251b1b3a3343400a08e2f03c5518a26624626 Mon Sep 17 00:00:00 2001
+From: Adam Reichold <adam.reichold@t-online.de>
+Date: Mon, 24 Dec 2018 15:40:38 +0100
+Subject: [PATCH] Do not try to parse into unallocated XRef entry and return
+ pointer to dummy entry instead. Closes #692 and oss-fuzz/12330
+
+---
+ poppler/XRef.cc | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/poppler/XRef.cc b/poppler/XRef.cc
+index 0ec66944..d042d1f4 100644
+--- a/poppler/XRef.cc
++++ b/poppler/XRef.cc
+@@ -1548,11 +1548,31 @@ void XRef::readXRefUntil(int untilEntryNum, std::vector<int> *xrefStreamObjsNum)
+   }
+ }
+ 
++namespace {
++
++struct DummyXRefEntry : XRefEntry {
++  DummyXRefEntry() {
++    offset = 0;
++    gen = -1;
++    type = xrefEntryNone;
++    flags = 0;
++  }
++};
++
++DummyXRefEntry dummyXRefEntry;
++
++}
++
+ XRefEntry *XRef::getEntry(int i, bool complainIfMissing)
+ {
+   if (i >= size || entries[i].type == xrefEntryNone) {
+ 
+     if ((!xRefStream) && mainXRefEntriesOffset) {
++      if (unlikely(i >= capacity)) {
++	error(errInternal, -1, "Request for out-of-bounds XRef entry [{0:d}]", i);
++	return &dummyXRefEntry;
++      }
++
+       if (!parseEntry(mainXRefEntriesOffset + 20*i, &entries[i])) {
+         error(errSyntaxError, -1, "Failed to parse XRef entry [{0:d}].", i);
+       }
+@@ -1563,12 +1583,7 @@ XRefEntry *XRef::getEntry(int i, bool complainIfMissing)
+       // We might have reconstructed the xref
+       // Check again i is in bounds
+       if (unlikely(i >= size)) {
+-        static XRefEntry dummy;
+-        dummy.offset = 0;
+-        dummy.gen = -1;
+-        dummy.type = xrefEntryNone;
+-        dummy.flags = 0;
+-        return &dummy;
++	return &dummyXRefEntry;
+       }
+ 
+       if (entries[i].type == xrefEntryNone) {
+-- 
+2.18.1
+
diff --git a/main/poppler/CVE-2018-20551.patch b/main/poppler/CVE-2018-20551.patch
new file mode 100644
index 0000000000..9a391ca0dd
--- /dev/null
+++ b/main/poppler/CVE-2018-20551.patch
@@ -0,0 +1,51 @@ 
+From 7f87dc10b6adccd6d1b977a28b064add254aa2da Mon Sep 17 00:00:00 2001
+From: Adam Reichold <adam.reichold@t-online.de>
+Date: Thu, 27 Dec 2018 11:54:53 +0100
+Subject: [PATCH] Do not try to construct invalid rich media annotation assets.
+ Closes #703
+
+---
+ poppler/Annot.cc | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/poppler/Annot.cc b/poppler/Annot.cc
+index 2e4770ab..1750dc70 100644
+--- a/poppler/Annot.cc
++++ b/poppler/Annot.cc
+@@ -6418,20 +6418,22 @@ AnnotRichMedia::Content::Content(Dict *dict) {
+   if (obj1.isDict()) {
+     Object obj2 = obj1.getDict()->lookup("Names");
+     if (obj2.isArray()) {
+-      nAssets = obj2.arrayGetLength() / 2;
++      const int length = obj2.arrayGetLength() / 2;
+ 
+-      assets = (Asset **)gmallocn(nAssets, sizeof(Asset *));
++      assets = (Asset **)gmallocn(length, sizeof(Asset *));
++      for (int i = 0; i < length; ++i) {
++	Object objKey = obj2.arrayGet(2 * i);
++	Object objVal = obj2.arrayGet(2 * i + 1);
+ 
+-      int counter = 0;
+-      for (int i = 0; i < nAssets; ++i) {
+-        assets[counter] = new AnnotRichMedia::Asset;
+-
+-        Object objKey = obj2.arrayGet(i * 2);
+-        assets[counter]->fileSpec = obj2.arrayGet(i * 2 + 1);
+-
+-        assets[counter]->name = std::make_unique<GooString>( objKey.getString() );
+-        ++counter;
++	if (!objKey.isString() || objVal.isNull()) {
++	  error(errSyntaxError, -1, "Bad Annot Asset");
++	  continue;
++	}
+ 
++	assets[nAssets] = new AnnotRichMedia::Asset;
++	assets[nAssets]->name = std::make_unique<GooString>( objKey.getString() );
++	assets[nAssets]->fileSpec = std::move(objVal);
++	++nAssets;
+       }
+     }
+   }
+-- 
+2.18.1
+
diff --git a/main/poppler/CVE-2018-20662.patch b/main/poppler/CVE-2018-20662.patch
new file mode 100644
index 0000000000..557bda34af
--- /dev/null
+++ b/main/poppler/CVE-2018-20662.patch
@@ -0,0 +1,46 @@ 
+From 7b4e372deeb716eb3fe3a54b31ed41af759224f9 Mon Sep 17 00:00:00 2001
+From: Marek Kasik <mkasik@redhat.com>
+Date: Mon, 4 Mar 2019 12:55:12 +0100
+Subject: [PATCH] pdfunite: Check XRef's Catalog for being a Dict
+
+Check whether Catalog from XRef is Dict for each document
+passed to pdfunite and return error if not.
+
+https://gitlab.freedesktop.org/poppler/poppler/issues/706
+---
+ utils/pdfunite.cc | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/utils/pdfunite.cc b/utils/pdfunite.cc
+index b0142116..23888684 100644
+--- a/utils/pdfunite.cc
++++ b/utils/pdfunite.cc
+@@ -165,7 +165,8 @@ int main (int argc, char *argv[])
+   for (i = 1; i < argc - 1; i++) {
+     GooString *gfileName = new GooString(argv[i]);
+     PDFDoc *doc = new PDFDoc(gfileName, nullptr, nullptr, nullptr);
+-    if (doc->isOk() && !doc->isEncrypted()) {
++    if (doc->isOk() && !doc->isEncrypted() &&
++        doc->getXRef()->getCatalog().isDict()) {
+       docs.push_back(doc);
+       if (doc->getPDFMajorVersion() > majorVersion) {
+         majorVersion = doc->getPDFMajorVersion();
+@@ -176,8 +177,13 @@ int main (int argc, char *argv[])
+         }
+       }
+     } else if (doc->isOk()) {
+-      error(errUnimplemented, -1, "Could not merge encrypted files ('{0:s}')", argv[i]);
+-      return -1;
++      if (doc->isEncrypted()) {
++        error(errUnimplemented, -1, "Could not merge encrypted files ('{0:s}')", argv[i]);
++        return -1;
++      } else if (!doc->getXRef()->getCatalog().isDict()) {
++        error(errSyntaxError, -1, "XRef's Catalog is not a dictionary ('{0:s}')", argv[i]);
++        return -1;
++      }
+     } else {
+       error(errSyntaxError, -1, "Could not merge damaged documents ('{0:s}')", argv[i]);
+       return -1;
+-- 
+2.18.1
+
diff --git a/main/poppler/CVE-2019-10872.patch b/main/poppler/CVE-2019-10872.patch
new file mode 100644
index 0000000000..8032d7dd9a
--- /dev/null
+++ b/main/poppler/CVE-2019-10872.patch
@@ -0,0 +1,136 @@ 
+From 6a1580e84f492b5671d23be98192267bb73de250 Mon Sep 17 00:00:00 2001
+From: Marek Kasik <mkasik@redhat.com>
+Date: Mon, 13 May 2019 15:08:38 +0200
+Subject: [PATCH] Splash: Restrict filling of overlapping boxes
+
+Check whether area to fill in Splash::blitTransparent()
+does not run out of allocated memory for source and for destination
+and shrink it if needed.
+
+Fixes #750
+---
+ splash/Splash.cc | 48 +++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 33 insertions(+), 15 deletions(-)
+
+--- poppler-0.71.0.orig/splash/Splash.cc
++++ poppler-0.71.0/splash/Splash.cc
+@@ -5856,7 +5856,7 @@ SplashError Splash::blitTransparent(Spla
+ 				    int xDest, int yDest, int w, int h) {
+   SplashColorPtr p, sp;
+   Guchar *q;
+-  int x, y, mask, srcMask;
++  int x, y, mask, srcMask, width = w, height = h;
+ 
+   if (src->mode != bitmap->mode) {
+     return splashErrModeMismatch;
+@@ -5866,14 +5866,32 @@ SplashError Splash::blitTransparent(Spla
+     return splashErrZeroImage;
+   }
+ 
++  if (src->getWidth() - xSrc < width)
++    width = src->getWidth() - xSrc;
++
++  if (src->getHeight() - ySrc < height)
++    height = src->getHeight() - ySrc;
++
++  if (bitmap->getWidth() - xDest < width)
++    width = bitmap->getWidth() - xDest;
++
++  if (bitmap->getHeight() - yDest < height)
++    height = bitmap->getHeight() - yDest;
++
++  if (width < 0)
++    width = 0;
++
++  if (height < 0)
++    height = 0;
++
+   switch (bitmap->mode) {
+   case splashModeMono1:
+-    for (y = 0; y < h; ++y) {
++    for (y = 0; y < height; ++y) {
+       p = &bitmap->data[(yDest + y) * bitmap->rowSize + (xDest >> 3)];
+       mask = 0x80 >> (xDest & 7);
+       sp = &src->data[(ySrc + y) * src->rowSize + (xSrc >> 3)];
+       srcMask = 0x80 >> (xSrc & 7);
+-      for (x = 0; x < w; ++x) {
++      for (x = 0; x < width; ++x) {
+ 	if (*sp & srcMask) {
+ 	  *p |= mask;
+ 	} else {
+@@ -5891,20 +5909,20 @@ SplashError Splash::blitTransparent(Spla
+     }
+     break;
+   case splashModeMono8:
+-    for (y = 0; y < h; ++y) {
++    for (y = 0; y < height; ++y) {
+       p = &bitmap->data[(yDest + y) * bitmap->rowSize + xDest];
+       sp = &src->data[(ySrc + y) * bitmap->rowSize + xSrc];
+-      for (x = 0; x < w; ++x) {
++      for (x = 0; x < width; ++x) {
+ 	*p++ = *sp++;
+       }
+     }
+     break;
+   case splashModeRGB8:
+   case splashModeBGR8:
+-    for (y = 0; y < h; ++y) {
++    for (y = 0; y < height; ++y) {
+       p = &bitmap->data[(yDest + y) * bitmap->rowSize + 3 * xDest];
+       sp = &src->data[(ySrc + y) * src->rowSize + 3 * xSrc];
+-      for (x = 0; x < w; ++x) {
++      for (x = 0; x < width; ++x) {
+ 	*p++ = *sp++;
+ 	*p++ = *sp++;
+ 	*p++ = *sp++;
+@@ -5912,10 +5930,10 @@ SplashError Splash::blitTransparent(Spla
+     }
+     break;
+   case splashModeXBGR8:
+-    for (y = 0; y < h; ++y) {
++    for (y = 0; y < height; ++y) {
+       p = &bitmap->data[(yDest + y) * bitmap->rowSize + 4 * xDest];
+       sp = &src->data[(ySrc + y) * src->rowSize + 4 * xSrc];
+-      for (x = 0; x < w; ++x) {
++      for (x = 0; x < width; ++x) {
+ 	*p++ = *sp++;
+ 	*p++ = *sp++;
+ 	*p++ = *sp++;
+@@ -5926,10 +5944,10 @@ SplashError Splash::blitTransparent(Spla
+     break;
+ #ifdef SPLASH_CMYK
+   case splashModeCMYK8:
+-    for (y = 0; y < h; ++y) {
++    for (y = 0; y < height; ++y) {
+       p = &bitmap->data[(yDest + y) * bitmap->rowSize + 4 * xDest];
+       sp = &src->data[(ySrc + y) * src->rowSize + 4 * xSrc];
+-      for (x = 0; x < w; ++x) {
++      for (x = 0; x < width; ++x) {
+ 	*p++ = *sp++;
+ 	*p++ = *sp++;
+ 	*p++ = *sp++;
+@@ -5938,10 +5956,10 @@ SplashError Splash::blitTransparent(Spla
+     }
+     break;
+   case splashModeDeviceN8:
+-    for (y = 0; y < h; ++y) {
++    for (y = 0; y < height; ++y) {
+       p = &bitmap->data[(yDest + y) * bitmap->rowSize + (SPOT_NCOMPS+4) * xDest];
+       sp = &src->data[(ySrc + y) * src->rowSize + (SPOT_NCOMPS+4) * xSrc];
+-      for (x = 0; x < w; ++x) {
++      for (x = 0; x < width; ++x) {
+         for (int cp=0; cp < SPOT_NCOMPS+4; cp++)
+           *p++ = *sp++;
+       }
+@@ -5951,9 +5969,9 @@ SplashError Splash::blitTransparent(Spla
+   }
+ 
+   if (bitmap->alpha) {
+-    for (y = 0; y < h; ++y) {
++    for (y = 0; y < height; ++y) {
+       q = &bitmap->alpha[(yDest + y) * bitmap->width + xDest];
+-      memset(q, 0x00, w);
++      memset(q, 0x00, width);
+     }
+   }
+ 
diff --git a/main/poppler/CVE-2019-10873.patch b/main/poppler/CVE-2019-10873.patch
new file mode 100644
index 0000000000..a4a80ae97d
--- /dev/null
+++ b/main/poppler/CVE-2019-10873.patch
@@ -0,0 +1,31 @@ 
+From 8dbe2e6c480405dab9347075cf4be626f90f1d05 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Wed, 3 Apr 2019 18:02:42 +0200
+Subject: [PATCH] SplashXPathScanner::clipAALine: Fix crash on broken file
+
+Make sure the index of allIntersections we access is valid
+
+Fixes #748
+---
+ splash/SplashXPathScanner.cc | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/splash/SplashXPathScanner.cc b/splash/SplashXPathScanner.cc
+index 8362a6a5..23b4f7c4 100644
+--- a/splash/SplashXPathScanner.cc
++++ b/splash/SplashXPathScanner.cc
+@@ -452,7 +452,10 @@ void SplashXPathScanner::clipAALine(SplashBitmap *aaBuf,
+   for (yy = 0; yy < splashAASize; ++yy) {
+     xx = *x0 * splashAASize;
+     if (yy >= yyMin && yy <= yyMax) {
+-      const auto& line = allIntersections[splashAASize * y + yy - yMin];
++      const int intersectionIndex = splashAASize * y + yy - yMin;
++      if (unlikely(intersectionIndex < 0 || (unsigned)intersectionIndex >= allIntersections.size()))
++	break;
++      const auto& line = allIntersections[intersectionIndex];
+       interIdx = 0;
+       interCount = 0;
+       while (interIdx < line.size() && xx < (*x1 + 1) * splashAASize) {
+-- 
+2.18.1
+
diff --git a/main/poppler/CVE-2019-12293.patch b/main/poppler/CVE-2019-12293.patch
new file mode 100644
index 0000000000..2ad86a8355
--- /dev/null
+++ b/main/poppler/CVE-2019-12293.patch
@@ -0,0 +1,41 @@ 
+From 89a5367d49b2556a2635dbb6d48d6a6b182a2c6c Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Thu, 23 May 2019 00:54:29 +0200
+Subject: [PATCH] JPEG2000Stream: fail gracefully if not all components have
+ the same WxH
+
+I think this is just a mistake, or at least the only file we have with
+this scenario is a fuzzed one
+---
+ poppler/JPEG2000Stream.cc | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/poppler/JPEG2000Stream.cc b/poppler/JPEG2000Stream.cc
+index 15bbcae4..0eea3a2d 100644
+--- a/poppler/JPEG2000Stream.cc
++++ b/poppler/JPEG2000Stream.cc
+@@ -4,7 +4,7 @@
+ //
+ // A JPX stream decoder using OpenJPEG
+ //
+-// Copyright 2008-2010, 2012, 2017, 2018 Albert Astals Cid <aacid@kde.org>
++// Copyright 2008-2010, 2012, 2017-2019 Albert Astals Cid <aacid@kde.org>
+ // Copyright 2011 Daniel Glöckner <daniel-gl@gmx.net>
+ // Copyright 2014, 2016 Thomas Freitag <Thomas.Freitag@alfa.de>
+ // Copyright 2013, 2014 Adrian Johnson <ajohnson@redneon.com>
+@@ -253,6 +253,12 @@ void JPXStream::init()
+         close();
+         break;
+       }
++      const int componentPixels = priv->image->comps[component].w * priv->image->comps[component].h;
++      if (componentPixels != priv->npixels) {
++        error(errSyntaxWarning, -1, "Component {0:d} has different WxH than component 0", component);
++        close();
++        break;
++      }
+       unsigned char *cdata = (unsigned char *)priv->image->comps[component].data;
+       int adjust = 0;
+       int depth = priv->image->comps[component].prec;
+-- 
+2.21.0
+
diff --git a/main/poppler/CVE-2019-7310.patch b/main/poppler/CVE-2019-7310.patch
new file mode 100644
index 0000000000..cffd88f225
--- /dev/null
+++ b/main/poppler/CVE-2019-7310.patch
@@ -0,0 +1,29 @@ 
+From b54e1fc3e0d2600621a28d50f9f085b9e38619c2 Mon Sep 17 00:00:00 2001
+From: Adam Reichold <adam.reichold@t-online.de>
+Date: Fri, 1 Feb 2019 08:42:27 +0100
+Subject: [PATCH] Also defend against requests for negative XRef indices.
+ oss-fuzz/12797
+
+---
+ poppler/XRef.cc | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/poppler/XRef.cc b/poppler/XRef.cc
+index d042d1f4..ac2cd0ce 100644
+--- a/poppler/XRef.cc
++++ b/poppler/XRef.cc
+@@ -1565,6 +1565,11 @@ DummyXRefEntry dummyXRefEntry;
+ 
+ XRefEntry *XRef::getEntry(int i, bool complainIfMissing)
+ {
++  if (unlikely(i < 0)) {
++    error(errInternal, -1, "Request for invalid XRef entry [{0:d}]", i);
++    return &dummyXRefEntry;
++  }
++
+   if (i >= size || entries[i].type == xrefEntryNone) {
+ 
+     if ((!xRefStream) && mainXRefEntriesOffset) {
+-- 
+2.18.1
+
diff --git a/main/poppler/CVE-2019-9200.patch b/main/poppler/CVE-2019-9200.patch
new file mode 100644
index 0000000000..e3f8da4321
--- /dev/null
+++ b/main/poppler/CVE-2019-9200.patch
@@ -0,0 +1,24 @@ 
+From f4136a6353162db249f63ddb0f20611622ab61b4 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Wed, 27 Feb 2019 19:43:22 +0100
+Subject: [PATCH] ImageStream::getLine: fix crash on broken files
+
+Fixes #728
+---
+ poppler/Stream.cc | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff -aur poppler-0.71.0.orig/poppler/Stream.cc poppler-0.71.0/poppler/Stream.cc
+--- poppler-0.71.0.orig/poppler/Stream.cc	2018-10-31 22:13:17.000000000 +0100
++++ poppler-0.71.0/poppler/Stream.cc	2019-05-10 18:04:55.809263964 +0200
+@@ -476,6 +476,9 @@
+   }
+  
+   int readChars = str->doGetChars(inputLineSize, inputLine);
++  if (unlikely(readChars == -1)) {
++      readChars = 0;
++  }
+   for ( ; readChars < inputLineSize; readChars++) inputLine[readChars] = EOF;
+   if (nBits == 1) {
+     Guchar *p = inputLine;
+
diff --git a/main/poppler/CVE-2019-9631.patch b/main/poppler/CVE-2019-9631.patch
new file mode 100644
index 0000000000..30111603c9
--- /dev/null
+++ b/main/poppler/CVE-2019-9631.patch
@@ -0,0 +1,100 @@ 
+From 8122f6d6d409b53151a20c5578fc525ee97315e8 Mon Sep 17 00:00:00 2001
+From: Marek Kasik <mkasik@redhat.com>
+Date: Thu, 21 Mar 2019 13:47:51 +0100
+Subject: [PATCH] cairo: Constrain number of cycles in rescale filter
+
+Pass address of the first byte after end of the source buffer
+to downsample_row_box_filter() so that we can check
+that we don't run out of it.
+
+Fixes issue #736
+---
+ poppler/CairoRescaleBox.cc | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/poppler/CairoRescaleBox.cc b/poppler/CairoRescaleBox.cc
+index d7615010..7fd07041 100644
+--- a/poppler/CairoRescaleBox.cc
++++ b/poppler/CairoRescaleBox.cc
+@@ -62,7 +62,7 @@
+ 
+ static void downsample_row_box_filter (
+         int start, int width,
+-        uint32_t *src, uint32_t *dest,
++        uint32_t *src, uint32_t *src_limit, uint32_t *dest,
+         int coverage[], int pixel_coverage)
+ {
+     /* we need an array of the pixel contribution of each destination pixel on the boundaries.
+@@ -90,13 +90,13 @@ static void downsample_row_box_filter (
+     /* skip to start */
+     /* XXX: it might be possible to do this directly instead of iteratively, however
+      * the iterative solution is simple */
+-    while (x < start)
++    while (x < start && src < src_limit)
+     {
+         int box = 1 << FIXED_SHIFT;
+         int start_coverage = coverage[x];
+         box -= start_coverage;
+         src++;
+-        while (box >= pixel_coverage)
++        while (box >= pixel_coverage && src < src_limit)
+         {
+             src++;
+             box -= pixel_coverage;
+@@ -104,7 +104,7 @@ static void downsample_row_box_filter (
+         x++;
+     }
+ 
+-    while (x < start + width)
++    while (x < start + width && src < src_limit)
+     {
+         uint32_t a = 0;
+         uint32_t r = 0;
+@@ -121,7 +121,7 @@ static void downsample_row_box_filter (
+         x++;
+         box -= start_coverage;
+ 
+-        while (box >= pixel_coverage)
++        while (box >= pixel_coverage && src < src_limit)
+         {
+             a += ((*src >> 24) & 0xff) * pixel_coverage;
+             r += ((*src >> 16) & 0xff) * pixel_coverage;
+@@ -135,7 +135,7 @@ static void downsample_row_box_filter (
+         /* multiply by whatever is leftover
+          * this ensures that we don't bias down.
+          * i.e. start_coverage + n*pixel_coverage + box == 1 << 24 */
+-        if (box > 0)
++        if (box > 0 && src < src_limit)
+         {
+             a += ((*src >> 24) & 0xff) * box;
+             r += ((*src >> 16) & 0xff) * box;
+@@ -337,7 +337,7 @@ bool CairoRescaleBox::downScaleImage(unsigned orig_width, unsigned orig_height,
+     int start_coverage_y = y_coverage[dest_y];
+ 
+     getRow(src_y, scanline);
+-    downsample_row_box_filter (start_column, width, scanline, temp_buf + width * columns, x_coverage, pixel_coverage_x);
++    downsample_row_box_filter (start_column, width, scanline, scanline + orig_width, temp_buf + width * columns, x_coverage, pixel_coverage_x);
+     columns++;
+     src_y++;
+     box -= start_coverage_y;
+@@ -345,7 +345,7 @@ bool CairoRescaleBox::downScaleImage(unsigned orig_width, unsigned orig_height,
+     while (box >= pixel_coverage_y)
+     {
+       getRow(src_y, scanline);
+-      downsample_row_box_filter (start_column, width, scanline, temp_buf + width * columns, x_coverage, pixel_coverage_x);
++      downsample_row_box_filter (start_column, width, scanline, scanline + orig_width, temp_buf + width * columns, x_coverage, pixel_coverage_x);
+       columns++;
+       src_y++;
+       box -= pixel_coverage_y;
+@@ -355,7 +355,7 @@ bool CairoRescaleBox::downScaleImage(unsigned orig_width, unsigned orig_height,
+     if (box > 0)
+     {
+       getRow(src_y, scanline);
+-      downsample_row_box_filter (start_column, width, scanline, temp_buf + width * columns, x_coverage, pixel_coverage_x);
++      downsample_row_box_filter (start_column, width, scanline, scanline + orig_width, temp_buf + width * columns, x_coverage, pixel_coverage_x);
+       columns++;
+     }
+ 
+-- 
+2.18.1
+
diff --git a/main/poppler/bug924029-goostring-null-pointers.patch b/main/poppler/bug924029-goostring-null-pointers.patch
new file mode 100644
index 0000000000..c39392aba4
--- /dev/null
+++ b/main/poppler/bug924029-goostring-null-pointers.patch
@@ -0,0 +1,97 @@ 
+Subject: Make GooString constructible and assignable from null pointers again
+ since some of the code expects it.
+Origin: https://gitlab.freedesktop.org/poppler/poppler/commit/8f158da92c53ae16a368f844965f57ba8ffed77d
+Bug: https://gitlab.freedesktop.org/poppler/poppler/commit/8f158da92c53ae16a368f844965f57ba8ffed77d
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924029
+Reviewed-by: Jonathan Wiltshire <jmw@debian.org>
+Applied-Upstream: yes
+Last-Update: 2019-05-25
+
+--- poppler-0.71.0.orig/goo/GooString.h
++++ poppler-0.71.0/goo/GooString.h
+@@ -60,7 +60,7 @@
+   GooString& operator=(const GooString &other) = delete;
+ 
+   // Create a string from a C string.
+-  explicit GooString(const char *sA) : std::string(sA) {}
++  explicit GooString(const char *sA) : std::string(sA ? sA : "") {}
+ 
+   // Zero-cost conversion from and to std::string
+   explicit GooString(const std::string& str) : std::string(str) {}
+@@ -70,18 +70,18 @@
+ 
+   // Create a string from <lengthA> chars at <sA>.  This string
+   // can contain null characters.
+-  GooString(const char *sA, int lengthA) : std::string(sA, lengthA) {}
++  GooString(const char *sA, int lengthA) : std::string(sA ? sA : "", sA ? lengthA : 0) {}
+ 
+   // Create a string from <lengthA> chars at <idx> in <str>.
+   GooString(const GooString *str, int idx, int lengthA) : std::string(*str, idx, lengthA) {}
+ 
+   // Set content of a string to <newStr>.
+-  GooString* Set(const GooString *newStr) { assign(*newStr); return this; }
+-  GooString* Set(const char *newStr) { assign(newStr); return this; }
+-  GooString* Set(const char *newStr, int newLen) { assign(newStr, newLen); return this; }
++  GooString* Set(const GooString *newStr) { assign(newStr ? static_cast<const std::string&>(*newStr) : std::string{}); return this; }
++  GooString* Set(const char *newStr) { assign(newStr ? newStr : ""); return this; }
++  GooString* Set(const char *newStr, int newLen) { assign(newStr ? newStr : "", newStr ? newLen : 0); return this; }
+ 
+   // Copy a string.
+-  explicit GooString(const GooString *str) : std::string(*str) {}
++  explicit GooString(const GooString *str) : std::string(str ? static_cast<const std::string&>(*str) : std::string{}) {}
+   GooString *copy() const { return new GooString(this); }
+ 
+   // Concatenate two strings.
+--- poppler-0.71.0.orig/qt5/tests/check_goostring.cpp
++++ poppler-0.71.0/qt5/tests/check_goostring.cpp
+@@ -11,6 +11,7 @@
+     void testInsertData();
+     void testInsert();
+     void testFormat();
++    void testFromNullptr();
+ };
+ 
+ void TestGooString::testInsertData_data()
+@@ -122,6 +123,42 @@
+     }
+ }
+ 
++void TestGooString::testFromNullptr()
++{
++  {
++    GooString str{static_cast<const GooString*>(nullptr)};
++    QCOMPARE(str.getLength(), 0);
++  }
++
++  {
++    GooString str;
++    str.Set(static_cast<const GooString*>(nullptr));
++    QCOMPARE(str.getLength(), 0);
++  }
++
++  {
++    GooString str{static_cast<const char*>(nullptr)};
++    QCOMPARE(str.getLength(), 0);
++  }
++
++  {
++    GooString str{static_cast<const char*>(nullptr), 0};
++    QCOMPARE(str.getLength(), 0);
++  }
++
++  {
++    GooString str;
++    str.Set(static_cast<const char*>(nullptr));
++    QCOMPARE(str.getLength(), 0);
++  }
++
++  {
++    GooString str;
++    str.Set(static_cast<const char*>(nullptr), 0);
++    QCOMPARE(str.getLength(), 0);
++  }
++}
++
+ QTEST_GUILESS_MAIN(TestGooString)
+ #include "check_goostring.moc"
+ 
diff --git a/main/poppler/glib-Don-t-create-PopplerInputStream-with-length-0.patch b/main/poppler/glib-Don-t-create-PopplerInputStream-with-length-0.patch
new file mode 100644
index 0000000000..c59de03677
--- /dev/null
+++ b/main/poppler/glib-Don-t-create-PopplerInputStream-with-length-0.patch
@@ -0,0 +1,36 @@ 
+From: Simon McVittie <smcv@debian.org>
+Date: Thu, 14 Feb 2019 09:43:32 +0000
+Subject: glib: Don't create PopplerInputStream with length 0
+
+Since commit a59f6164, PopplerInputStream requires a nonzero length.
+
+Loosely based on an earlier patch by Kouhei Sutou. This version adds
+support for length == -1, which is documented to work.
+
+Bug: https://gitlab.freedesktop.org/poppler/poppler/issues/414
+Bug-Debian: https://bugs.debian.org/896596
+Forwarded: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/189
+---
+ glib/poppler-document.cc | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/glib/poppler-document.cc b/glib/poppler-document.cc
+index ed37da4c..e04c8b42 100644
+--- a/glib/poppler-document.cc
++++ b/glib/poppler-document.cc
+@@ -309,7 +309,14 @@ poppler_document_new_from_stream (GInputStream *stream,
+   }
+ 
+   if (stream_is_memory_buffer_or_local_file(stream)) {
+-    str = new PopplerInputStream(stream, cancellable, 0, false, 0, Object(objNull));
++    if (length == (goffset)-1) {
++      if (!g_seekable_seek(G_SEEKABLE(stream), 0, G_SEEK_END, cancellable, error)) {
++        g_prefix_error(error, "Unable to determine length of stream: ");
++        return nullptr;
++      }
++      length = g_seekable_tell(G_SEEKABLE(stream));
++    }
++    str = new PopplerInputStream(stream, cancellable, 0, false, length, Object(objNull));
+   } else {
+     CachedFile *cachedFile = new CachedFile(new PopplerCachedFileLoader(stream, cancellable, length), new GooString());
+     str = new CachedFileStream(cachedFile, 0, false, cachedFile->getLength(), Object(objNull));
diff --git a/main/poppler/page-ustring.patch b/main/poppler/page-ustring.patch
new file mode 100644
index 0000000000..8b0a1ba58f
--- /dev/null
+++ b/main/poppler/page-ustring.patch
@@ -0,0 +1,29 @@ 
+From a4fad73c86a2eabe004e7cbaa8c9c0ff42146375 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Thu, 6 Dec 2018 18:27:04 +0100
+Subject: [PATCH] cpp: Fix page::text_list encoding issue
+
+Text from TextoutputDev always comes in UTF-8
+
+Well it comes in GlobalParams::textEncoding but that is UTF-8 and we
+don't let people change it
+---
+ cpp/poppler-page.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cpp/poppler-page.cpp b/cpp/poppler-page.cpp
+index 9d9526cc..c4955471 100644
+--- a/cpp/poppler-page.cpp
++++ b/cpp/poppler-page.cpp
+@@ -365,7 +365,7 @@ std::vector<text_box> page::text_list() const
+             TextWord *word = word_list->get(i);
+ 
+             std::unique_ptr<GooString> gooWord{word->getText()};
+-            ustring ustr = detail::unicode_GooString_to_ustring(gooWord.get());
++            ustring ustr = ustring::from_utf8(gooWord->getCString());
+ 
+             double xMin, yMin, xMax, yMax;
+             word->getBBox(&xMin, &yMin, &xMax, &yMax);
+-- 
+2.18.1
+