$NetBSD: patch-cc,v 1.1 2006/11/24 12:46:12 drochner Exp $

--- src/modules/loaders/loader_lbm.c.orig	2006-09-06 13:34:49.000000000 +0200
+++ src/modules/loaders/loader_lbm.c
@@ -421,7 +421,7 @@ ILBM    ilbm;
 
         im->w = L2RWORD(ilbm.bmhd.data);
         im->h = L2RWORD(ilbm.bmhd.data + 2);
-        if (im->w <= 0 || im->h <= 0) ok = 0;
+        if (im->w <= 0 || im->h <= 0 || im->w > 16383 || im->h > 16383) ok = 0;
 
         ilbm.depth = ilbm.bmhd.data[8];
         if (ilbm.depth < 1 || (ilbm.depth > 8 && ilbm.depth != 24 && ilbm.depth != 32)) ok = 0; /* Only 1 to 8, 24, or 32 planes. */
@@ -453,6 +453,7 @@ ILBM    ilbm;
         }
     }
     if (!full || !ok) {
+        im->w = im->h = 0;
         freeilbm(&ilbm);
         return ok;
     }
@@ -467,12 +468,13 @@ ILBM    ilbm;
     cancel = 0;
     plane[0] = NULL;
 
+    n = ilbm.depth;
+    if (ilbm.mask == 1) n++;
+
     im->data = malloc(im->w * im->h * sizeof(DATA32));
-    if (im->data) {
-        n = ilbm.depth;
-        if (ilbm.mask == 1) n++;
+    plane[0] = malloc(((im->w + 15) / 16) * 2 * n);
+    if (im->data && plane[0]) {
 
-        plane[0] = malloc(((im->w + 15) / 16) * 2 * n);
         for (i = 1; i < n; i++) plane[i] = plane[i - 1] + ((im->w + 15) / 16) * 2;
 
         z = ((im->w + 15) / 16) * 2 * n;
@@ -511,6 +513,7 @@ ILBM    ilbm;
    * the memory for im->data.
    *----------*/
     if (!ok) {
+        im->w = im->h = 0;
         if (im->data) free(im->data);
         im->data = NULL;
     }
