Fix CVE-2018-16647 and CVE-2018-16648

Cherry-pick patches to address CVE-2018-16647 and CVE-2018-16648 which is https://bugs.debian.org/924351.

Cherry-pick'ed an additional commit to fix issue seen still while running mupdf with the provided proof of concents revealing that upstream commit fa4cdfca9ec3034dbe54e1cb08c8b97e9ebed46d ("Fix typo in pdf write device.") was missing.