#####
# Add extra validation to check for the issues reported
# here http://www.securityfocus.com/archive/1/372345
# 
# - taviso@gentoo.org (1 Sep 2004)
#############
diff -ruN xv-3.10a/xvbmp.c xv-3.10a.new/xvbmp.c
--- xv-3.10a/xvbmp.c	2004-08-31 23:26:20.711591624 +0100
+++ xv-3.10a.new/xvbmp.c	2004-08-31 23:21:48.887915104 +0100
@@ -165,6 +165,11 @@
     int i, cmaplen;
 
     cmaplen = (biClrUsed) ? biClrUsed : 1 << biBitCount;
+
+	/* sanity check user supplied value */
+	if (cmaplen > 256)
+		{ bmpError(bname,"invalid colormap length"); goto ERROR; }
+
     for (i=0; i<cmaplen; i++) {
       pinfo->b[i] = getc(fp);
       pinfo->g[i] = getc(fp);
Files xv-3.10a/.xv.h.swp and xv-3.10a.new/.xv.h.swp differ
diff -ruN xv-3.10a/xviris.c xv-3.10a.new/xviris.c
--- xv-3.10a/xviris.c	1994-12-22 22:34:47.000000000 +0000
+++ xv-3.10a.new/xviris.c	2004-08-31 23:52:18.753733216 +0100
@@ -265,8 +265,18 @@
     byte *rledat;
     u_long *starttab, *lengthtab;
 
+	/* check they are postive */
+	if ((xsize <= 0) || (ysize <= 0) || (zsize <= 0))
+		FatalError("invalid image size supplied to LoadIRIS()");
+
     rlebuflen = 2 * xsize + 10;
     tablen    = ysize * zsize;
+
+	/* did they overflow */
+	
+	if ((rlebuflen <= 0) || (tablen <= 0))
+		FatalError("invalid image size supplied to LoadIRIS()");
+
     starttab  = (u_long *) malloc((size_t) tablen * sizeof(long));
     lengthtab = (u_long *) malloc((size_t) tablen * sizeof(long));
     rledat    = (byte *)   malloc((size_t) rlebuflen);
diff -ruN xv-3.10a/xvpcx.c xv-3.10a.new/xvpcx.c
--- xv-3.10a/xvpcx.c	1995-01-10 23:06:37.000000000 +0000
+++ xv-3.10a.new/xvpcx.c	2004-09-01 00:04:28.464800272 +0100
@@ -4,6 +4,7 @@
  * LoadPCX(fname, pinfo)  -  loads a PCX file
  */
 
+#include <limits.h>
 #include "copyright.h"
 
 /*
@@ -222,6 +223,10 @@
   byte *image;
   
   /* note:  overallocation to make life easier... */
+  if ((pinfo->h <= 0) || (pinfo->h > INT_MAX-1) || 
+	  (pinfo->w <= 0) || (pinfo->w > INT_MAX-16))
+	  	FatalError("bad image specs in pcxLoadImage8()");
+
   image = (byte *) malloc((size_t) (pinfo->h + 1) * pinfo->w + 16);
   if (!image) FatalError("Can't alloc 'image' in pcxLoadImage8()");
   
diff -ruN xv-3.10a/xvpm.c xv-3.10a.new/xvpm.c
--- xv-3.10a/xvpm.c	1994-12-22 22:34:40.000000000 +0000
+++ xv-3.10a.new/xvpm.c	2004-09-01 00:07:34.721484952 +0100
@@ -5,6 +5,8 @@
  * WritePM(fp, pic, ptype, w, h, r,g,b, numcols, style, comment)
  */
 
+#include <limits.h>
+
 #include "copyright.h"
 
 #include "xv.h"
@@ -137,7 +139,7 @@
 
 
   /* alloc and read in comment, if any */
-  if (thePic.pm_cmtsize>0) {
+  if (thePic.pm_cmtsize>0 && thePic.pm_cmtsize<(INT_MAX-1)) {
     thePic.pm_cmt = (char *) malloc((size_t) thePic.pm_cmtsize+1);
     if (thePic.pm_cmt) {
       thePic.pm_cmt[thePic.pm_cmtsize] = '\0';  /* to be safe */