diff -uprk.orig gdk-pixbuf-0.22.0.orig/gdk-pixbuf/io-ico.c gdk-pixbuf-0.22.0/gdk-pixbuf/io-ico.c --- gdk-pixbuf-0.22.0.orig/gdk-pixbuf/io-ico.c 2004-09-03 18:22:50 +0400 +++ gdk-pixbuf-0.22.0/gdk-pixbuf/io-ico.c 2004-09-03 18:25:45 +0400 @@ -330,6 +330,9 @@ DecodeHeader (guchar *Data, gint Bytes, State->HeaderSize+=I; + if (State->HeaderSize < 0) + return FALSE; + if (State->HeaderSize>State->BytesInHeaderBuf) { guchar *tmp=realloc(State->HeaderBuf,State->HeaderSize); if (!tmp) diff -uprk.orig gdk-pixbuf-0.22.0.orig/gdk-pixbuf/io-xpm.c gdk-pixbuf-0.22.0/gdk-pixbuf/io-xpm.c --- gdk-pixbuf-0.22.0.orig/gdk-pixbuf/io-xpm.c 2001-03-01 23:16:28 +0300 +++ gdk-pixbuf-0.22.0/gdk-pixbuf/io-xpm.c 2004-09-03 18:36:20 +0400 @@ -243,8 +243,8 @@ xpm_extract_color (const gchar *buffer) break; else { if (numnames > 0) { - space -= 1; - strcat (color, " "); + strncat (color, " ", space); + space -= MIN (space, 1); } strncat (color, temp, space); @@ -352,16 +352,31 @@ pixbuf_create_from_xpm (const gchar * (* return NULL; } sscanf (buffer, "%d %d %d %d", &w, &h, &n_col, &cpp); - if (cpp >= 32) { - g_warning ("XPM has more than 31 chars per pixel."); + if (cpp <= 0 || cpp >= 32) { + g_warning ("XPM has invalid number of chars per pixel"); + return NULL; + } + if (n_col <= 0 || n_col >= G_MAXINT / (cpp + 1)) { + g_warning ("XPM file has invalid number of colors"); return NULL; } /* The hash is used for fast lookups of color from chars */ color_hash = g_hash_table_new (g_str_hash, g_str_equal); - name_buf = g_new (gchar, n_col * (cpp + 1)); - colors = g_new (_XPMColor, n_col); + name_buf = g_try_malloc (n_col * (cpp + 1)); + if (!name_buf) { + g_warning ("Cannot allocate memory for loading XPM image"); + g_hash_table_destroy (color_hash); + return NULL; + } + colors = malloc (sizeof (_XPMColor) * n_col); + if (!colors) { + g_warning ("Cannot allocate memory for loading XPM image"); + g_hash_table_destroy (color_hash); + g_free (name_buf); + return NULL; + } for (cnt = 0; cnt < n_col; cnt++) { gchar *color_name;