--- //depot/qt/3/src/kernel/qfontengine_x11.cpp	Thu Oct 19 14:41:41 CEST 2006
+++ //depot/qt/3/src/kernel/qfontengine_x11.cpp	Thu Oct 19 14:41:41 CEST 2006

@@ -171,7 +171,8 @@
 
     QRect br = xmat.mapRect(QRect(x, y - si->ascent, w, h));
     QRect br2 = br & pdevRect;
-    if (br2.width() <= 0 || br2.height() <= 0)
+    if (br2.width() <= 0 || br2.height() <= 0
+        || br2.width() >= 32768 || br2.height() >= 32768)
         return;
     QWMatrix mat = QPixmap::trueMatrix( xmat, w, h );
     QBitmap wx_bm = ::transform(dpy, bm, br2.x() - br.x(), br2.y() - br.y(), br2.width(), br2.height(), mat);

--- //depot/qt/3/src/kernel/qimage.cpp	Thu Oct 19 14:41:41 CEST 2006
+++ //depot/qt/3/src/kernel/qimage.cpp	Thu Oct 19 14:41:41 CEST 2006

@@ -475,7 +475,12 @@
 		Endian bitOrder )
 {
     init();
-    if ( w <= 0 || h <= 0 || depth <= 0 || numColors < 0 )
+    int bpl = ((w*depth+31)/32)*4;	// bytes per scanline
+    if ( w <= 0 || h <= 0 || depth <= 0 || numColors < 0
+         || INT_MAX / sizeof(uchar *) < uint(h)
+         || INT_MAX / uint(depth) < uint(w)
+         || bpl <= 0
+         || INT_MAX / uint(bpl) < uint(h) )
 	return;					// invalid parameter(s)
     data->w = w;
     data->h = h;
@@ -483,7 +488,6 @@
     data->ncols = depth != 32 ? numColors : 0;
     if ( !yourdata )
 	return;	    // Image header info can be saved without needing to allocate memory.
-    int bpl = ((w*depth+31)/32)*4;	// bytes per scanline
     data->nbytes = bpl*h;
     if ( colortable || !data->ncols ) {
 	data->ctbl = colortable;
@@ -525,7 +529,10 @@
 		Endian bitOrder )
 {
     init();
-    if ( !yourdata || w <= 0 || h <= 0 || depth <= 0 || numColors < 0 )
+    if ( !yourdata || w <= 0 || h <= 0 || depth <= 0 || numColors < 0
+         || INT_MAX / sizeof(uchar *) < uint(h)
+         || INT_MAX / uint(bpl) < uint(h)
+         )
 	return;					// invalid parameter(s)
     data->w = w;
     data->h = h;
@@ -1264,7 +1271,7 @@
     if ( data->ncols != numColors )		// could not alloc color table
 	return FALSE;
 
-    if ( INT_MAX / depth < width) { // sanity check for potential overflow
+    if ( INT_MAX / uint(depth) < uint(width) ) { // sanity check for potential overflow
 	setNumColors( 0 );
 	return FALSE;
     }
@@ -1277,7 +1284,9 @@
     // #### WWA: shouldn't this be (width*depth+7)/8:
     const int pad = bpl - (width*depth)/8;	// pad with zeros
 #endif
-    if (INT_MAX / bpl < height) { // sanity check for potential overflow
+    if ( INT_MAX / uint(bpl) < uint(height)
+        || bpl < 0
+        || INT_MAX / sizeof(uchar *) < uint(height) ) { // sanity check for potential overflow
 	setNumColors( 0 );
 	return FALSE;
     }

--- //depot/qt/3/src/kernel/qpixmap_x11.cpp	Thu Oct 19 14:41:41 CEST 2006
+++ //depot/qt/3/src/kernel/qpixmap_x11.cpp	Thu Oct 19 14:41:41 CEST 2006

@@ -953,6 +953,9 @@
     bool force_mono = (dd == 1 || isQBitmap() ||
 		       (conversion_flags & ColorMode_Mask)==MonoOnly );
 
+    if ( w >= 32768 || h >= 32768 )
+        return FALSE;
+
     // get rid of the mask
     delete data->mask;
     data->mask = 0;
@@ -1678,11 +1681,11 @@
 
 QPixmap QPixmap::xForm( const QWMatrix &matrix ) const
 {
-    int	   w = 0;
-    int	   h = 0;				// size of target pixmap
-    int	   ws, hs;				// size of source pixmap
+    uint   w = 0;
+    uint   h = 0;				// size of target pixmap
+    uint   ws, hs;				// size of source pixmap
     uchar *dptr;				// data in target pixmap
-    int	   dbpl, dbytes;			// bytes per line/bytes total
+    uint   dbpl, dbytes;			// bytes per line/bytes total
     uchar *sptr;				// data in original pixmap
     int	   sbpl;				// bytes per line in original
     int	   bpp;					// bits per pixel
@@ -1697,19 +1700,24 @@
 
     QWMatrix mat( matrix.m11(), matrix.m12(), matrix.m21(), matrix.m22(), 0., 0. );
 
+    double scaledWidth;
+    double scaledHeight;
+
     if ( matrix.m12() == 0.0F && matrix.m21() == 0.0F ) {
 	if ( matrix.m11() == 1.0F && matrix.m22() == 1.0F )
 	    return *this;			// identity matrix
-	h = qRound( matrix.m22()*hs );
-	w = qRound( matrix.m11()*ws );
-	h = QABS( h );
-	w = QABS( w );
+	scaledHeight = matrix.m22()*hs;
+	scaledWidth = matrix.m11()*ws;
+	h = QABS( qRound( scaledHeight ) );
+	w = QABS( qRound( scaledWidth ) );
     } else {					// rotation or shearing
 	QPointArray a( QRect(0,0,ws+1,hs+1) );
 	a = mat.map( a );
 	QRect r = a.boundingRect().normalize();
 	w = r.width()-1;
 	h = r.height()-1;
+        scaledWidth = w;
+        scaledHeight = h;
     }
 
     mat = trueMatrix( mat, ws, hs ); // true matrix
@@ -1718,7 +1726,8 @@
     bool invertible;
     mat = mat.invert( &invertible );		// invert matrix
 
-    if ( h == 0 || w == 0 || !invertible ) {	// error, return null pixmap
+    if ( h == 0 || w == 0 || !invertible
+         || QABS(scaledWidth) >= 32768 || QABS(scaledHeight) >= 32768 ) {	// error, return null pixmap
 	QPixmap pm;
 	pm.data->bitmap = data->bitmap;
 	return pm;