$NetBSD: patch-ar,v 1.3 2004/09/16 19:28:56 minskim Exp $

--- extras/Xpm/lib/create.c.orig	2003-10-07 16:25:37.000000000 -0500
+++ extras/Xpm/lib/create.c
@@ -816,6 +816,9 @@ XpmCreateImageFromXpmImage(display, imag
 
     ErrorStatus = XpmSuccess;
 
+    if (image->ncolors >= SIZE_MAX / sizeof(Pixel))
+	return (XpmNoMemory);
+
     /* malloc pixels index tables */
     image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * image->ncolors);
     if (!image_pixels)
@@ -988,6 +991,8 @@ CreateXImage(display, visual, depth, for
 	return (XpmNoMemory);
 
 #if !defined(FOR_MSW) && !defined(AMIGA)
+    if (height != 0 && (*image_return)->bytes_per_line >= SIZE_MAX / height)
+	return XpmNoMemory;
     /* now that bytes_per_line must have been set properly alloc data */
     (*image_return)->data =
 	(char *) XpmMalloc((*image_return)->bytes_per_line * height);
@@ -2055,6 +2060,9 @@ xpmParseDataAndCreate(display, data, ima
 	xpmGetCmt(data, &colors_cmt);
 
     /* malloc pixels index tables */
+    if (ncolors >= SIZE_MAX / sizeof(Pixel)) 
+	return XpmNoMemory;
+
     image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors);
     if (!image_pixels)
 	RETURN(XpmNoMemory);
@@ -2309,7 +2317,8 @@ ParseAndPutPixels(
 	    }
 	    obm = SelectObject(*dc, image->bitmap);
 #endif
-
+	    if (ncolors > 256)
+		return (XpmFileInvalid);
 
 	    bzero((char *)colidx, 256 * sizeof(short));
 	    for (a = 0; a < ncolors; a++)
@@ -2415,6 +2424,9 @@ if (cidx[f]) XpmFree(cidx[f]);}
 	    char *s;
 	    char buf[BUFSIZ];
 
+	    if (cpp >= sizeof(buf))
+		return (XpmFileInvalid);
+
 	    buf[cpp] = '\0';
 	    if (USE_HASHTABLE) {
 		xpmHashAtom *slot;
