--- linux/drivers/char/drm/r128_state.c	2004-02-19 12:46:36.000000000 -0600
+++ linux/drivers/char/drm/r128_state.c	2004-02-19 12:52:25.000000000 -0600
@@ -25,6 +25,8 @@
  *
  * Authors:
  *    Gareth Hughes <gareth@valinux.com>
+ *
+ * Memory allocation size checks added 14/01/2003, Alan Cox <alan@redhat.com>
  */
 
 #include "r128.h"
@@ -901,6 +903,9 @@
 	DRM_DEBUG( "%s\n", __FUNCTION__ );
 
 	count = depth->n;
+
+	if( count > 4096 )
+		return -EMSGSIZE;
 	if ( copy_from_user( &x, depth->x, sizeof(x) ) ) {
 		return -EFAULT;
 	}
@@ -995,6 +1000,9 @@
 
 	count = depth->n;
 
+	if( count > 4096 )
+		return -EMSGSIZE;
+
 	x = kmalloc( count * sizeof(*x), GFP_KERNEL );
 	if ( x == NULL ) {
 		return -ENOMEM;
@@ -1109,6 +1117,9 @@
 	DRM_DEBUG( "%s\n", __FUNCTION__ );
 
 	count = depth->n;
+
+	if ( count > 4096 )
+		return -EMSGSIZE;
 	if ( copy_from_user( &x, depth->x, sizeof(x) ) ) {
 		return -EFAULT;
 	}
--- linux/drivers/char/drm-4.0/r128_state.c	2004-02-19 13:02:56.000000000 -0600
+++ linux/drivers/char/drm-4.0/r128_state.c	2004-02-19 13:19:12.000000000 -0600
@@ -26,6 +26,7 @@
  * Authors:
  *    Gareth Hughes <gareth@valinux.com>
  *
+ * Memory allocation size checks added 14/01/2003, Alan Cox <alan@redhat.com>
  */
 
 #define __NO_VERSION__
@@ -938,6 +939,9 @@
 	}
 
 	count = depth->n;
+
+	if( count > 4096 )
+		return -EMSGSIZE;
 	if ( copy_from_user( &x, depth->x, sizeof(x) ) ) {
 		return -EFAULT;
 	}
@@ -1048,6 +1052,9 @@
 
 	count = depth->n;
 
+	if( count > 4096 )
+		return -EMSGSIZE;
+
 	x = kmalloc( count * sizeof(*x), 0 );
 	if ( x == NULL ) {
 		return -ENOMEM;
@@ -1178,6 +1185,9 @@
 	}
 
 	count = depth->n;
+
+	if ( count > 4096 )
+		return -EMSGSIZE;
 	if ( copy_from_user( &x, depth->x, sizeof(x) ) ) {
 		return -EFAULT;
 	}