poppler/backport-CVE-2018-20481.patch

diff -Nuar poppler-0.67.0/poppler/XRef.cc poppler-0.67.0-old/poppler/XRef.cc
--- poppler-0.67.0/poppler/XRef.cc	2018-07-20 05:20:03.000000000 +0800
+++ poppler-0.67.0-old/poppler/XRef.cc	2021-01-18 15:56:14.964000000 +0800
@@ -1611,11 +1611,31 @@
   }
 }
 
+namespace {
+
+struct DummyXRefEntry : XRefEntry {
+  DummyXRefEntry() {
+    offset = 0;
+    gen = -1;
+    type = xrefEntryNone;
+    flags = 0;
+  }
+};
+
+DummyXRefEntry dummyXRefEntry;
+
+}
+
 XRefEntry *XRef::getEntry(int i, GBool complainIfMissing)
 {
   if (i >= size || entries[i].type == xrefEntryNone) {
 
     if ((!xRefStream) && mainXRefEntriesOffset) {
+      if (unlikely(i >= capacity)) {
+	error(errInternal, -1, "Request for out-of-bounds XRef entry [{0:d}]", i);
+	return &dummyXRefEntry;
+      }
+
       if (!parseEntry(mainXRefEntriesOffset + 20*i, &entries[i])) {
         error(errSyntaxError, -1, "Failed to parse XRef entry [{0:d}].", i);
       }
@@ -1626,12 +1646,7 @@
       // We might have reconstructed the xref
       // Check again i is in bounds
       if (unlikely(i >= size)) {
-        static XRefEntry dummy;
-        dummy.offset = 0;
-        dummy.gen = -1;
-        dummy.type = xrefEntryNone;
-        dummy.flags = 0;
-        return &dummy;
+        return &dummyXRefEntry;
       }
 
       if (entries[i].type == xrefEntryNone) {