$OpenBSD: patch-lib_Xm_Xpmscan_c,v 1.1 2004/09/01 22:57:36 pvalchev Exp $
--- lib/Xm/Xpmscan.c.orig	Fri Apr 28 09:05:21 2000
+++ lib/Xm/Xpmscan.c	Wed Sep  1 01:31:33 2004
@@ -93,7 +93,8 @@ LFUNC(MSWGetImagePixels, int, (Display *
 LFUNC(ScanTransparentColor, int, (XpmColor *color, unsigned int cpp,
 				  XpmAttributes *attributes));
 
-LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors, int ncolors,
+LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors, 
+			     unsigned int ncolors, 
 			     Pixel *pixels, unsigned int mask,
 			     unsigned int cpp, XpmAttributes *attributes));
 
@@ -220,11 +221,17 @@ XpmCreateXpmImageFromImage(display, imag
     else
 	cpp = 0;
 
+    if ((height > 0 && width >= SIZE_MAX / height) ||
+	width * height >= SIZE_MAX / sizeof(unsigned int))
+	RETURN(XpmNoMemory);
     pmap.pixelindex =
 	(unsigned int *) XpmCalloc(width * height, sizeof(unsigned int));
     if (!pmap.pixelindex)
 	RETURN(XpmNoMemory);
 
+    if (pmap.size >= SIZE_MAX / sizeof(Pixel)) 
+	RETURN(XpmNoMemory);
+
     pmap.pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * pmap.size);
     if (!pmap.pixels)
 	RETURN(XpmNoMemory);
@@ -279,7 +286,8 @@ XpmCreateXpmImageFromImage(display, imag
      * get rgb values and a string of char, and possibly a name for each
      * color
      */
-
+    if (pmap.ncolors >= SIZE_MAX / sizeof(XpmColor))
+	RETURN(XpmNoMemory);
     colorTable = (XpmColor *) XpmCalloc(pmap.ncolors, sizeof(XpmColor));
     if (!colorTable)
 	RETURN(XpmNoMemory);
@@ -327,6 +335,8 @@ ScanTransparentColor(color, cpp, attribu
 
     /* first get a character string */
     a = 0;
+    if (cpp >= SIZE_MAX - 1)
+	return (XpmNoMemory);
     if (!(s = color->string = (char *) XpmMalloc(cpp + 1)))
 	return (XpmNoMemory);
     *s++ = printable[c = a % MAXPRINTABLE];
@@ -374,7 +384,7 @@ static int
 ScanOtherColors(display, colors, ncolors, pixels, mask, cpp, attributes)
     Display *display;
     XpmColor *colors;
-    int ncolors;
+    unsigned int ncolors;
     Pixel *pixels;
     unsigned int mask;
     unsigned int cpp;
@@ -418,6 +428,8 @@ ScanOtherColors(display, colors, ncolors
     }
 
     /* first get character strings and rgb values */
+    if (ncolors >= SIZE_MAX / sizeof(XColor) || cpp >= SIZE_MAX - 1)
+	return (XpmNoMemory);
     xcolors = (XColor *) XpmMalloc(sizeof(XColor) * ncolors);
     if (!xcolors)
 	return (XpmNoMemory);
