--- cups-1.3.7/pdftops/JBIG2Stream.h.cert-batch3892,4781,5486,19856,19869	2009-04-10 09:50:51.000000000 -0400
+++ cups-1.3.7/pdftops/JBIG2Stream.h	2009-04-10 09:52:51.000000000 -0400
@@ -99,7 +99,7 @@ private:
   void readEndOfStripeSeg(Guint length);
   void readProfilesSeg(Guint length);
   void readCodeTableSeg(Guint segNum, Guint length);
-  void readExtensionSeg(Guint length);
+  int readExtensionSeg(Guint length);
   JBIG2Segment *findSegment(Guint segNum);
   void discardSegment(Guint segNum);
   void resetGenericStats(Guint templ,
--- cups-1.3.7/pdftops/JBIG2Stream.cxx.cert-batch3892,4781,5486,19856,19869	2009-04-10 09:51:02.000000000 -0400
+++ cups-1.3.7/pdftops/JBIG2Stream.cxx	2009-04-10 09:53:23.000000000 -0400
@@ -1379,7 +1379,8 @@ void JBIG2Stream::readSegments() {
       readCodeTableSeg(segNum, segLength);
       break;
     case 62:
-      readExtensionSeg(segLength);
+      if (readExtensionSeg(segLength) == EOF)
+        goto eofError2;
       break;
     default:
       error(getPos(), "Unknown segment type in JBIG2 stream");
@@ -1404,6 +1405,7 @@ void JBIG2Stream::readSegments() {
   gfree(refSegs);
  eofError1:
   error(getPos(), "Unexpected EOF in JBIG2 stream");
+  exit(1);
 }
 
 GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Guint length,
@@ -1713,6 +1715,8 @@ GBool JBIG2Stream::readSymbolDictSeg(Gui
 	    readGenericBitmap(gFalse, symWidth, symHeight,
 			      sdTemplate, gFalse, gFalse, NULL,
 			      sdATX, sdATY, 0);
+	if (bitmaps[numInputSyms + i] == NULL)
+	  goto eofError;
       }
 
       ++i;
@@ -1733,6 +1737,8 @@ GBool JBIG2Stream::readSymbolDictSeg(Gui
 	collBitmap = readGenericBitmap(gTrue, totalWidth, symHeight,
 				       0, gFalse, gFalse, NULL, NULL, NULL,
 				       bmSize);
+	if (collBitmap == NULL)
+	  goto eofError;
       }
       x = 0;
       for (; j < i; ++j) {
@@ -2349,6 +2355,8 @@ void JBIG2Stream::readPatternDictSeg(Gui
   bitmap = readGenericBitmap(mmr, (grayMax + 1) * patternW, patternH,
 			     templ, gFalse, gFalse, NULL,
 			     atx, aty, length - 7);
+  if (bitmap == NULL)
+    goto eofError;
 
   // create the pattern dict object
   patternDict = new JBIG2PatternDict(segNum, grayMax + 1);
@@ -2480,6 +2488,8 @@ void JBIG2Stream::readHalftoneRegionSeg(
   for (j = bpp - 1; j >= 0; --j) {
     grayBitmap = readGenericBitmap(mmr, gridW, gridH, templ, gFalse,
 				   enableSkip, skipBitmap, atx, aty, -1);
+    if (grayBitmap == NULL)
+      goto eofError;
     i = 0;
     for (m = 0; m < gridH; ++m) {
       for (n = 0; n < gridW; ++n) {
@@ -2581,6 +2591,8 @@ void JBIG2Stream::readGenericRegionSeg(G
   // read the bitmap
   bitmap = readGenericBitmap(mmr, w, h, templ, tpgdOn, gFalse,
 			     NULL, atx, aty, mmr ? length - 18 : 0);
+  if (bitmap == NULL)
+    goto eofError;
 
   // combine the region bitmap into the page bitmap
   if (imm) {
@@ -2885,6 +2897,9 @@ JBIG2Bitmap *JBIG2Stream::readGenericBit
 	}
       }
 
+      if (arithDecoder->eof())
+	  return NULL;
+
       switch (templ) {
       case 0:
 
@@ -3417,13 +3432,15 @@ void JBIG2Stream::readCodeTableSeg(Guint
   error(getPos(), "Unexpected EOF in JBIG2 stream");
 }
 
-void JBIG2Stream::readExtensionSeg(Guint length) {
+int JBIG2Stream::readExtensionSeg(Guint length) {
   Guint i;
 
   // skip the segment
   for (i = 0; i < length; ++i) {
-    curStr->getChar();
+    if (curStr->getChar() == EOF)
+      return EOF;
   }
+  return 0;
 }
 
 JBIG2Segment *JBIG2Stream::findSegment(Guint segNum) {
--- cups-1.3.7/pdftops/JArithmeticDecoder.h.cert-batch3892,4781,5486,19856,19869	2009-04-10 09:51:15.000000000 -0400
+++ cups-1.3.7/pdftops/JArithmeticDecoder.h	2009-04-10 09:53:06.000000000 -0400
@@ -55,9 +55,9 @@ public:
   ~JArithmeticDecoder();
 
   void setStream(Stream *strA)
-    { str = strA; dataLen = 0; limitStream = gFalse; }
+    { str = strA; dataLen = 0; limitStream = gFalse; seen_eof = gFalse; }
   void setStream(Stream *strA, int dataLenA)
-    { str = strA; dataLen = dataLenA; limitStream = gTrue; }
+    { str = strA; dataLen = dataLenA; limitStream = gTrue; seen_eof = gFalse; }
 
   // Start decoding on a new stream.  This fills the byte buffers and
   // runs INITDEC.
@@ -84,6 +84,9 @@ public:
   Guint decodeIAID(Guint codeLen,
 		   JArithmeticDecoderStats *stats);
 
+  // EOF seen?
+  GBool eof() { return seen_eof; }
+
 private:
 
   Guint readByte();
@@ -104,6 +107,7 @@ private:
   Stream *str;
   int dataLen;
   GBool limitStream;
+  GBool seen_eof;
 };
 
 #endif
--- cups-1.3.7/pdftops/JArithmeticDecoder.cxx.cert-batch3892,4781,5486,19856,19869	2009-04-10 09:51:25.000000000 -0400
+++ cups-1.3.7/pdftops/JArithmeticDecoder.cxx	2009-04-10 09:53:06.000000000 -0400
@@ -91,6 +91,7 @@ JArithmeticDecoder::JArithmeticDecoder()
   str = NULL;
   dataLen = 0;
   limitStream = gFalse;
+  seen_eof = gFalse;
 }
 
 inline Guint JArithmeticDecoder::readByte() {
@@ -100,7 +101,10 @@ inline Guint JArithmeticDecoder::readByt
       return 0xff;
     }
   }
-  return (Guint)str->getChar() & 0xff;
+  int b = str->getChar ();
+  if (b == EOF)
+    seen_eof = gTrue;
+  return (Guint)b & 0xff;
 }
 
 JArithmeticDecoder::~JArithmeticDecoder() {