$OpenBSD: patch-lib_Xm_Xpmcreate_c,v 1.1 2004/09/01 22:57:36 pvalchev Exp $
--- lib/Xm/Xpmcreate.c.orig	Fri Apr 28 09:05:21 2000
+++ lib/Xm/Xpmcreate.c	Wed Sep  1 01:39:33 2004
@@ -1,4 +1,5 @@
 /* $XConsortium: Xpmcreate.c /main/8 1996/09/20 08:15:02 pascale $ */
+/* $XdotOrg: pre-CVS proposed fix for CESA-2004-003 alanc 7/25/2004 $ */
 /*
  * Copyright (C) 1989-95 GROUPE BULL
  *
@@ -799,6 +800,9 @@ XpmCreateImageFromXpmImage(display, imag
 
     ErrorStatus = XpmSuccess;
 
+    if (image->ncolors >= SIZE_MAX / sizeof(Pixel)) 
+	return (XpmNoMemory);
+
     /* malloc pixels index tables */
     image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * image->ncolors);
     if (!image_pixels)
@@ -942,6 +946,8 @@ CreateXImage(display, visual, depth, for
 	return (XpmNoMemory);
 
 #ifndef FOR_MSW
+    if (height != 0 && (*image_return)->bytes_per_line >= SIZE_MAX / height)
+	    return XpmNoMemory;
     /* now that bytes_per_line must have been set properly alloc data */
     (*image_return)->data =
 	(char *) XpmMalloc((*image_return)->bytes_per_line * height);
@@ -1987,6 +1993,9 @@ xpmParseDataAndCreate(display, data, ima
 	xpmGetCmt(data, &colors_cmt);
 
     /* malloc pixels index tables */
+    if (ncolors >= SIZE_MAX / sizeof(Pixel)) 
+	return XpmNoMemory;
+
     image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors);
     if (!image_pixels)
 	RETURN(XpmNoMemory);
@@ -2200,6 +2209,9 @@ ParseAndPutPixels(dc, data, width, heigh
 	{
 	    unsigned short colidx[256];
 
+	    if (ncolors > 256)
+		    return (XpmFileInvalid);
+
 	    bzero((char *)colidx, 256 * sizeof(short));
 	    for (a = 0; a < ncolors; a++)
 		colidx[(unsigned char)colorTable[a].string[0]] = a + 1;
@@ -2297,6 +2309,9 @@ if (cidx[f]) XpmFree(cidx[f]);}
 	{
 	    char *s;
 	    char buf[BUFSIZ];
+
+	    if (cpp >= sizeof(buf))
+		return (XpmFileInvalid);
 
 	    buf[cpp] = '\0';
 	    if (USE_HASHTABLE) {