$NetBSD: patch-be,v 1.1 2004/12/18 00:39:31 tron Exp $

--- lib/Xm/Xpmcreate.c.orig	2000-04-28 16:05:21.000000000 +0100
+++ lib/Xm/Xpmcreate.c	2004-12-17 23:28:32.000000000 +0000
@@ -1,4 +1,5 @@
 /* $XConsortium: Xpmcreate.c /main/8 1996/09/20 08:15:02 pascale $ */
+/* $XdotOrg: pre-CVS proposed fix for CESA-2004-003 alanc 7/25/2004 $ */
 /*
  * Copyright (C) 1989-95 GROUPE BULL
  *
@@ -799,6 +800,9 @@
 
     ErrorStatus = XpmSuccess;
 
+    if (image->ncolors >= SIZE_MAX / sizeof(Pixel)) 
+	return (XpmNoMemory);
+
     /* malloc pixels index tables */
     image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * image->ncolors);
     if (!image_pixels)
@@ -942,6 +946,8 @@
 	return (XpmNoMemory);
 
 #ifndef FOR_MSW
+     if (height != 0 && (*image_return)->bytes_per_line >= SIZE_MAX / height)
+	return XpmNoMemory;
     /* now that bytes_per_line must have been set properly alloc data */
     (*image_return)->data =
 	(char *) XpmMalloc((*image_return)->bytes_per_line * height);
@@ -1987,6 +1993,9 @@
 	xpmGetCmt(data, &colors_cmt);
 
     /* malloc pixels index tables */
+    if (ncolors >= SIZE_MAX / sizeof(Pixel)) 
+	return XpmNoMemory;
+
     image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors);
     if (!image_pixels)
 	RETURN(XpmNoMemory);
@@ -2200,6 +2209,9 @@
 	{
 	    unsigned short colidx[256];
 
+	    if (ncolors > 256)
+		return (XpmFileInvalid);
+
 	    bzero((char *)colidx, 256 * sizeof(short));
 	    for (a = 0; a < ncolors; a++)
 		colidx[(unsigned char)colorTable[a].string[0]] = a + 1;
@@ -2298,6 +2310,9 @@
 	    char *s;
 	    char buf[BUFSIZ];
 
+	    if (cpp >= sizeof(buf))
+		return (XpmFileInvalid);
+
 	    buf[cpp] = '\0';
 	    if (USE_HASHTABLE) {
 		xpmHashAtom *slot;
