diff -up ./render/glyph.c.cve-2008-2360 ./render/glyph.c
--- ./render/glyph.c.cve-2008-2360 2006-07-06 04:31:44.000000000 +1000
+++ ./render/glyph.c 2008-05-29 16:22:06.000000000 +1000
@@ -43,6 +43,12 @@
#include "picturestr.h"
#include "glyphstr.h"
+#if HAVE_STDINT_H
+#include <stdint.h>
+#else
+#define UINT32_MAX 0xffffffffU
+#endif
+
/*
* From Knuth -- a good choice for hash/rehash values is p, p-2 where
* p and p-2 are both prime. These tables are sized to have an extra 10%
@@ -627,8 +633,14 @@ AllocateGlyph (xGlyphInfo *gi, int fdept
int size;
GlyphPtr glyph;
int i;
+ size_t padded_width;
+
+ padded_width = PixmapBytePad (gi->width, glyphDepths[fdepth]);
+
+ if (gi->height && padded_width > (UINT32_MAX - sizeof(GlyphRec))/gi->height)
+ return 0;
- size = gi->height * PixmapBytePad (gi->width, glyphDepths[fdepth]);
+ size = gi->height * padded_width;
glyph = (GlyphPtr) xalloc (size + sizeof (GlyphRec));
if (!glyph)
return 0;