--- /dev/null
+--- gdk-pixbuf-0.22.0/gdk-pixbuf/io-bmp.c.bmploop 2004-08-20 14:18:30.178162560 -0400
++++ gdk-pixbuf-0.22.0/gdk-pixbuf/io-bmp.c 2004-08-20 14:18:42.997213768 -0400
+@@ -899,8 +899,18 @@
+ guchar c;
+ gint idx;
+
+- if (context->compr.y >= context->Header.height)
++ /* context->compr.y might be past the last line because we are
++ * on padding past the end of a valid data, or we might have hit
++ * out-of-bounds data. Either way we just eat-and-ignore the
++ * rest of the file. Doing the check only here and not when
++ * we change y below is fine since BufferSize is always 2 here
++ * and the BMP file format always starts new data on 16-bit
++ * boundaries.
++ */
++ if (context->compr.y >= context->Header.height) {
++ context->BufferDone = 0;
+ return TRUE;
++ }
+
+ y = context->compr.y;
+
--- /dev/null
+--- gdk-pixbuf-0.22.0/gdk-pixbuf/io-ico.c.loaders 2004-09-15 13:32:28.397302000 -0400
++++ gdk-pixbuf-0.22.0/gdk-pixbuf/io-ico.c 2004-09-15 13:32:28.441258000 -0400
+@@ -330,6 +330,9 @@
+
+ State->HeaderSize+=I;
+
++ if (State->HeaderSize < 0)
++ return FALSE;
++
+ if (State->HeaderSize>State->BytesInHeaderBuf) {
+ guchar *tmp=realloc(State->HeaderBuf,State->HeaderSize);
+ if (!tmp)
+--- gdk-pixbuf-0.22.0/gdk-pixbuf/io-xpm.c.loaders 2001-03-01 15:16:28.000000000 -0500
++++ gdk-pixbuf-0.22.0/gdk-pixbuf/io-xpm.c 2004-09-15 13:41:09.804373000 -0400
+@@ -243,8 +243,8 @@
+ break;
+ else {
+ if (numnames > 0) {
+- space -= 1;
+- strcat (color, " ");
++ strncat (color, " ", space);
++ space -= MIN (space, 1);
+ }
+
+ strncat (color, temp, space);
+@@ -352,16 +352,31 @@
+ return NULL;
+ }
+ sscanf (buffer, "%d %d %d %d", &w, &h, &n_col, &cpp);
+- if (cpp >= 32) {
+- g_warning ("XPM has more than 31 chars per pixel.");
++ if (cpp <= 0 || cpp >= 32) {
++ g_warning ("XPM has invalid number of chars per pixel.");
+ return NULL;
+ }
++ if (n_col <= 0 || n_col >= G_MAXINT / (cpp + 1)) {
++ g_warning ("XPM file has invalid number of colors");
++ return NULL;
++ }
+
+ /* The hash is used for fast lookups of color from chars */
+ color_hash = g_hash_table_new (g_str_hash, g_str_equal);
+
+- name_buf = g_new (gchar, n_col * (cpp + 1));
+- colors = g_new (_XPMColor, n_col);
++ name_buf = malloc (n_col * (cpp + 1));
++ if (!name_buf) {
++ g_warning ("Cannot allocate memory for loading XPM image");
++ g_hash_table_destroy (color_hash);
++ return NULL;
++ }
++ colors = (_XPMColor *) malloc (sizeof (_XPMColor) * n_col);
++ if (!colors) {
++ g_warning ("Cannot allocate memory for loading XPM image");
++ g_hash_table_destroy (color_hash);
++ free (name_buf);
++ return NULL;
++ }
+
+ for (cnt = 0; cnt < n_col; cnt++) {
+ gchar *color_name;
+@@ -404,8 +419,8 @@
+
+ if (!pixels) {
+ g_hash_table_destroy (color_hash);
+- g_free (colors);
+- g_free (name_buf);
++ free (colors);
++ free (name_buf);
+ return NULL;
+ }
+
+@@ -440,8 +455,8 @@
+ }
+
+ g_hash_table_destroy (color_hash);
+- g_free (colors);
+- g_free (name_buf);
++ free (colors);
++ free (name_buf);
+
+ return gdk_pixbuf_new_from_data (pixels, GDK_COLORSPACE_RGB, is_trans, 8,
+ w, h, is_trans ? (w * 4) : (w * 3),