--- /tmp/xdr_array.c    Sat Aug  3 03:22:14 2002
+++ xdr_array.c Sat Aug  3 03:26:04 2002
@@ -40,6 +40,7 @@
  * arrays.  See xdr.h for more info on the interface to xdr.
  */

+#include <limits.h>
 #include <stdio.h>
 #include <string.h>
 #include <rpc/types.h>
@@ -76,12 +77,13 @@
   u_int nodesize;

   /* like strings, arrays are really counted arrays */
-  if (!xdr_u_int (xdrs, sizep))
+if (!xdr_u_int(xdrs, sizep))
     {
       return FALSE;
     }
   c = *sizep;
-  if ((c > maxsize) && (xdrs->x_op != XDR_FREE))
+  if ((c > maxsize || UINT_MAX/elsize < c) &&
+  (xdrs->x_op != XDR_FREE))
     {
       return FALSE;
     }
@@ -162,7 +164,7 @@
   elptr = basep;
   for (i = 0; i < nelem; i++)
     {
-      if (!(*xdr_elem) (xdrs, elptr, LASTUNSIGNED))
+      if (!(*xdr_elem)(xdrs, elptr, LASTUNSIGNED))
        {
          return FALSE;
        }