$NetBSD: patch-an,v 1.3 2004/09/16 19:28:56 minskim Exp $

--- extras/Xpm/lib/scan.c.orig	2002-01-07 13:40:49.000000000 -0600
+++ extras/Xpm/lib/scan.c
@@ -107,7 +107,8 @@ LFUNC(MSWGetImagePixels, int, (Display *
 LFUNC(ScanTransparentColor, int, (XpmColor *color, unsigned int cpp,
 				  XpmAttributes *attributes));
 
-LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors, int ncolors,
+LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors, 
+			     unsigned int ncolors, 
 			     Pixel *pixels, unsigned int mask,
 			     unsigned int cpp, XpmAttributes *attributes));
 
@@ -232,11 +233,17 @@ XpmCreateXpmImageFromImage(display, imag
     else
 	cpp = 0;
 
+    if ((height > 0 && width >= SIZE_MAX / height) ||
+	width * height >= SIZE_MAX / sizeof(unsigned int))
+	RETURN(XpmNoMemory);
     pmap.pixelindex =
 	(unsigned int *) XpmCalloc(width * height, sizeof(unsigned int));
     if (!pmap.pixelindex)
 	RETURN(XpmNoMemory);
 
+    if (pmap.size >= SIZE_MAX / sizeof(Pixel)) 
+	RETURN(XpmNoMemory);
+
     pmap.pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * pmap.size);
     if (!pmap.pixels)
 	RETURN(XpmNoMemory);
@@ -302,6 +309,8 @@ XpmCreateXpmImageFromImage(display, imag
      * color
      */
 
+    if (pmap.ncolors >= SIZE_MAX / sizeof(XpmColor))
+	RETURN(XpmNoMemory);
     colorTable = (XpmColor *) XpmCalloc(pmap.ncolors, sizeof(XpmColor));
     if (!colorTable)
 	RETURN(XpmNoMemory);
@@ -360,6 +369,8 @@ ScanTransparentColor(color, cpp, attribu
 
     /* first get a character string */
     a = 0;
+    if (cpp >= SIZE_MAX - 1)
+	return (XpmNoMemory);
     if (!(s = color->string = (char *) XpmMalloc(cpp + 1)))
 	return (XpmNoMemory);
     *s++ = printable[c = a % MAXPRINTABLE];
@@ -407,7 +418,7 @@ static int
 ScanOtherColors(display, colors, ncolors, pixels, mask, cpp, attributes)
     Display *display;
     XpmColor *colors;
-    int ncolors;
+    unsigned int ncolors;
     Pixel *pixels;
     unsigned int mask;
     unsigned int cpp;
@@ -451,6 +462,8 @@ ScanOtherColors(display, colors, ncolors
     }
 
     /* first get character strings and rgb values */
+    if (ncolors >= SIZE_MAX / sizeof(XColor) || cpp >= SIZE_MAX - 1)
+	return (XpmNoMemory);
     xcolors = (XColor *) XpmMalloc(sizeof(XColor) * ncolors);
     if (!xcolors)
 	return (XpmNoMemory);
