--- /dev/null
+diff -uNr postgresql-7.2.3.orig/src/backend/utils/adt/geo_ops.c postgresql-7.2.3/src/backend/utils/adt/geo_ops.c
+--- postgresql-7.2.3.orig/src/backend/utils/adt/geo_ops.c Tue May 14 14:16:54 2002
++++ postgresql-7.2.3/src/backend/utils/adt/geo_ops.c Fri Dec 20 10:33:33 2002
+@@ -269,11 +269,18 @@
+ static char *
+ path_encode(bool closed, int npts, Point *pt)
+ {
+- char *result = palloc(npts * (P_MAXLEN + 3) + 2);
++ int size = npts * (P_MAXLEN + 3) + 2;
++ char *result;
+
+ char *cp;
+ int i;
+
++ /* Check for integer overflow */
++ if ((size - 2) / npts != (P_MAXLEN + 3))
++ elog(ERROR, "Too many points requested");
++
++ result = palloc(size);
++
+ cp = result;
+ switch (closed)
+ {
+@@ -1228,7 +1235,7 @@
+ depth++;
+ }
+
+- size = offsetof(PATH, p[0]) +sizeof(path->p[0]) * npts;
++ size = offsetof(PATH, p[0]) + sizeof(path->p[0]) * npts;
+ path = (PATH *) palloc(size);
+
+ path->size = size;
+@@ -3594,13 +3601,21 @@
+ PATH *p1 = PG_GETARG_PATH_P(0);
+ PATH *p2 = PG_GETARG_PATH_P(1);
+ PATH *result;
+- int size;
++ int size,
++ base_size;
+ int i;
+
+ if (p1->closed || p2->closed)
+ PG_RETURN_NULL();
+
+- size = offsetof(PATH, p[0]) +sizeof(p1->p[0]) * (p1->npts + p2->npts);
++ base_size = sizeof(p1->p[0]) * (p1->npts + p2->npts);
++ size = offsetof(PATH, p[0]) + base_size;
++
++ /* Check for integer overflow */
++ if (base_size / sizeof(p1->p[0]) != (p1->npts + p2->npts) ||
++ size <= base_size)
++ elog(ERROR, "Too many points requested.");
++
+ result = (PATH *) palloc(size);
+
+ result->size = size;
+@@ -4411,17 +4426,24 @@
+ int32 npts = PG_GETARG_INT32(0);
+ CIRCLE *circle = PG_GETARG_CIRCLE_P(1);
+ POLYGON *poly;
+- int size;
++ int base_size,
++ size;
+ int i;
+ double angle;
+
+ if (FPzero(circle->radius) || (npts < 2))
+ elog(ERROR, "Unable to convert circle to polygon");
+
+- size = offsetof(POLYGON, p[0]) +(sizeof(poly->p[0]) * npts);
++ base_size = sizeof(poly->p[0]) * npts;
++ size = offsetof(POLYGON, p[0]) + base_size;
++
++ /* Check for integer overflow */
++ if (base_size / npts != sizeof(poly->p[0]) || size <= base_size)
++ elog(ERROR, "Too many points requested");
++
+ poly = (POLYGON *) palloc(size);
+
+- MemSet((char *) poly, 0, size); /* zero any holes */
++ MemSet(poly, 0, size); /* zero any holes */
+ poly->size = size;
+ poly->npts = npts;
+