diff --git a/xpdf/xpdf/JBIG2Stream.cc b/xpdf/xpdf/JBIG2Stream.cc
index c190aba47..128fe1d5b 100644
--- a/xpdf/xpdf/JBIG2Stream.cc
+++ b/xpdf/xpdf/JBIG2Stream.cc
@@ -7,6 +7,7 @@
 //========================================================================
 
 #include <aconf.h>
+#include <limits.h>
 
 #ifdef USE_GCC_PRAGMAS
 #pragma implementation
@@ -681,9 +682,15 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, int wA, int hA):
   w = wA;
   h = hA;
   line = (wA + 7) >> 3;
-  // need to allocate one extra guard byte for use in combine()
-  data = (Guchar *)gmalloc(h * line + 1);
-  data[h * line] = 0;
+
+  if (h < 0 || line <= 0 || h >= INT_MAX / line) {
+    data = NULL;
+  }
+  else {
+    // need to allocate one extra guard byte for use in combine()
+    data = (Guchar *)gmalloc(h * line + 1);
+    data[h * line] = 0;
+  }
 }
 
 JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):
@@ -692,6 +699,12 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):
   w = bitmap->w;
   h = bitmap->h;
   line = bitmap->line;
+
+  if (h < 0 || line <= 0 || h >= INT_MAX / line) {
+    data = NULL;
+    return;
+  }
+ 
   // need to allocate one extra guard byte for use in combine()
   data = (Guchar *)gmalloc(h * line + 1);
   memcpy(data, bitmap->data, h * line);
@@ -720,7 +733,7 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint x, Guint y, Guint wA, Guint hA) {
 }
 
 void JBIG2Bitmap::expand(int newH, Guint pixel) {
-  if (newH <= h) {
+  if (newH <= h || line <= 0 || newH >= INT_MAX / line) {
     return;
   }
   // need to allocate one extra guard byte for use in combine()
@@ -2305,6 +2318,15 @@ void JBIG2Stream::readHalftoneRegionSeg(Guint segNum, GBool imm,
     error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
     return;
   }
+  if (gridH == 0 || gridW >= INT_MAX / gridH) {
+    error(getPos(), "Bad size in JBIG2 halftone segment");
+    return;
+  }
+  if (w == 0 || h >= INT_MAX / w) {
+     error(getPos(), "Bad size in JBIG2 bitmap segment");
+    return;
+  }
+
   patternDict = (JBIG2PatternDict *)seg;
   bpp = 0;
   i = 1;
@@ -2936,6 +2958,9 @@ JBIG2Bitmap *JBIG2Stream::readGenericRefinementRegion(int w, int h,
   JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2;
   int x, y, pix;
 
+  if (w < 0 || h <= 0 || w >= INT_MAX / h)
+    return NULL;
+
   bitmap = new JBIG2Bitmap(0, w, h);
   bitmap->clearToZero();
 
diff --git a/xpdf/xpdf/Stream.cc b/xpdf/xpdf/Stream.cc
index 931354978..63c965db6 100644
--- a/xpdf/xpdf/Stream.cc
+++ b/xpdf/xpdf/Stream.cc
@@ -418,7 +418,7 @@ StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
     return;
 
   nVals = width * nComps;
-  if (nVals + 7 <= 0)
+  if (nVals * nBits + 7 <= 0)
     return;
   pixBytes = (nComps * nBits + 7) >> 3;
   rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
@@ -1277,7 +1277,7 @@ CCITTFaxStream::CCITTFaxStream(Stream *strA, int encodingA, GBool endOfLineA,
   endOfLine = endOfLineA;
   byteAlign = byteAlignA;
   columns = columnsA;
-  if (columns < 1) {
+  if (columns + 3 < 1 || columns + 4 < 1 || columns < 1) {
     columns = 1;
   }
   rows = rowsA;
@@ -2923,10 +2923,7 @@ GBool DCTStream::readBaselineSOF() {
   width = read16();
   numComps = str->getChar();
   if (numComps <= 0 || numComps > 4) {
-    error(getPos(), "Bad number of components in DCT stream", prec);
-    return gFalse;
-  }
-  if (numComps <= 0 || numComps > 4) {
+    numComps = 0;
     error(getPos(), "Bad number of components in DCT stream", prec);
     return gFalse;
   }
@@ -2957,6 +2954,7 @@ GBool DCTStream::readProgressiveSOF() {
   width = read16();
   numComps = str->getChar();
   if (numComps <= 0 || numComps > 4) {
+     numComps = 0;
      error(getPos(), "Bad number of components in DCT stream");
      return gFalse;
   }
@@ -2983,6 +2981,7 @@ GBool DCTStream::readScanInfo() {
   length = read16() - 2;
   scanInfo.numComps = str->getChar();
   if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
+     scanInfo.numComps = 0;
      error(getPos(), "Bad number of components in DCT stream");
      return gFalse;
   }
@@ -3070,12 +3069,12 @@ GBool DCTStream::readHuffmanTables() {
   while (length > 0) {
     index = str->getChar();
     --length;
-    if ((index & 0x0f) >= 4) {
+    if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) {
       error(getPos(), "Bad DCT Huffman table");
       return gFalse;
     }
     if (index & 0x10) {
-      index &= 0x0f;
+      index &= 0x03;
       if (index >= numACHuffTables)
 	numACHuffTables = index+1;
       tbl = &acHuffTables[index];