*************** *** 805,810 **** ErrorStatus = XpmSuccess; /* malloc pixels index tables */ image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * image->ncolors); if (!image_pixels) return (XpmNoMemory); --- 805,812 ---- ErrorStatus = XpmSuccess; /* malloc pixels index tables */ + if (image->ncolors > INT_MAX/sizeof(Pixel)) + return (XpmNoMemory); image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * image->ncolors); if (!image_pixels) return (XpmNoMemory); *************** *** 948,953 **** #ifndef FOR_MSW /* now that bytes_per_line must have been set properly alloc data */ (*image_return)->data = (char *) XpmMalloc((*image_return)->bytes_per_line * height); --- 950,959 ---- #ifndef FOR_MSW /* now that bytes_per_line must have been set properly alloc data */ + if (height != 0 && (*image_return)->bytes_per_line > INT_MAX/height) { + XDestroyImage(*image_return); + return (XpmNoMemory); + } (*image_return)->data = (char *) XpmMalloc((*image_return)->bytes_per_line * height); *************** *** 1992,1997 **** xpmGetCmt(data, &colors_cmt); /* malloc pixels index tables */ image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors); if (!image_pixels) RETURN(XpmNoMemory); --- 1998,2005 ---- xpmGetCmt(data, &colors_cmt); /* malloc pixels index tables */ + if (ncolors > INT_MAX/sizeof(Pixel)) + RETURN(XpmNoMemory); image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors); if (!image_pixels) RETURN(XpmNoMemory); *************** *** 2247,2253 **** /* array of pointers malloced by need */ unsigned short *cidx[256]; - int char1; bzero((char *)cidx, 256 * sizeof(unsigned short *)); /* init */ for (a = 0; a < ncolors; a++) { --- 2255,2261 ---- /* array of pointers malloced by need */ unsigned short *cidx[256]; + unsigned int char1; bzero((char *)cidx, 256 * sizeof(unsigned short *)); /* init */ for (a = 0; a < ncolors; a++) {