--- gdk-pixbuf-0.22.0/gdk-pixbuf/io-ico.c.loaders	2004-09-15 13:32:28.397302000 -0400
+++ gdk-pixbuf-0.22.0/gdk-pixbuf/io-ico.c	2004-09-15 13:32:28.441258000 -0400
@@ -330,6 +330,9 @@
 
 	State->HeaderSize+=I;
 
+ 	if (State->HeaderSize < 0)
+ 		return FALSE;
+ 
  	if (State->HeaderSize>State->BytesInHeaderBuf) {
 		guchar *tmp=realloc(State->HeaderBuf,State->HeaderSize);
 		if (!tmp)
--- gdk-pixbuf-0.22.0/gdk-pixbuf/io-xpm.c.loaders	2001-03-01 15:16:28.000000000 -0500
+++ gdk-pixbuf-0.22.0/gdk-pixbuf/io-xpm.c	2004-09-15 13:41:09.804373000 -0400
@@ -243,8 +243,8 @@
 			break;
 		else {
 			if (numnames > 0) {
-				space -= 1;
-				strcat (color, " ");
+				strncat (color, " ", space);
+				space -= MIN (space, 1);
 			}
 
 			strncat (color, temp, space);
@@ -352,16 +352,31 @@
 		return NULL;
 	}
 	sscanf (buffer, "%d %d %d %d", &w, &h, &n_col, &cpp);
-	if (cpp >= 32) {
-		g_warning ("XPM has more than 31 chars per pixel.");
+	if (cpp <= 0 || cpp >= 32) {
+		g_warning ("XPM has invalid number of chars per pixel.");
 		return NULL;
 	}
+ 	if (n_col <= 0 || n_col >= G_MAXINT / (cpp + 1)) {
+		g_warning ("XPM file has invalid number of colors");
+  		return NULL;
+  	}
 
 	/* The hash is used for fast lookups of color from chars */
 	color_hash = g_hash_table_new (g_str_hash, g_str_equal);
 
-	name_buf = g_new (gchar, n_col * (cpp + 1));
-	colors = g_new (_XPMColor, n_col);
+ 	name_buf = malloc (n_col * (cpp + 1));
+ 	if (!name_buf) {
+		g_warning ("Cannot allocate memory for loading XPM image");
+ 		g_hash_table_destroy (color_hash);
+ 		return NULL;
+ 	}
+ 	colors = (_XPMColor *) malloc (sizeof (_XPMColor) * n_col);
+ 	if (!colors) {
+		g_warning ("Cannot allocate memory for loading XPM image");
+ 		g_hash_table_destroy (color_hash);
+ 		free (name_buf);
+ 		return NULL;
+ 	}
 
 	for (cnt = 0; cnt < n_col; cnt++) {
 		gchar *color_name;
@@ -404,8 +419,8 @@
 
 	if (!pixels) {
 		g_hash_table_destroy (color_hash);
-		g_free (colors);
-		g_free (name_buf);
+		free (colors);
+		free (name_buf);
 		return NULL;
 	}
 
@@ -440,8 +455,8 @@
 	}
 
 	g_hash_table_destroy (color_hash);
-	g_free (colors);
-	g_free (name_buf);
+	free (colors);
+	free (name_buf);
 
 	return gdk_pixbuf_new_from_data (pixels, GDK_COLORSPACE_RGB, is_trans, 8,
 					 w, h, is_trans ? (w * 4) : (w * 3),