File openmotif-xpm.diff of Package openmotif22-libs

--- lib/Xm/XpmAttrib.c
+++ lib/Xm/XpmAttrib.c
@@ -41,7 +41,7 @@
 #include "XpmI.h"
 
 /* 3.2 backward compatibility code */
-LFUNC(CreateOldColorTable, int, (XpmColor *ct, unsigned int ncolors,
+LFUNC(CreateOldColorTable, int, (XpmColor *ct, int ncolors,
 				 XpmColor ***oldct));
 
 LFUNC(FreeOldColorTable, void, (XpmColor **colorTable, int ncolors));
@@ -52,15 +52,12 @@
 static int
 CreateOldColorTable(ct, ncolors, oldct)
     XpmColor *ct;
-    unsigned int ncolors;
+    int ncolors;
     XpmColor ***oldct;
 {
     XpmColor **colorTable, **color;
     int a;
 
-    if (ncolors >= SIZE_MAX / sizeof(XpmColor *)) 
-	return XpmNoMemory;
-
     colorTable = (XpmColor **) XpmMalloc(ncolors * sizeof(XpmColor *));
     if (!colorTable) {
 	*oldct = NULL;
--- lib/Xm/XpmCrBufFrI.c
+++ lib/Xm/XpmCrBufFrI.c
@@ -43,20 +43,20 @@
 
 #include "XpmI.h"
 
-LFUNC(WriteColors, int, (char **dataptr, unsigned int *data_size,
-			 unsigned int *used_size, XpmColor *colors,
+LFUNC(WriteColors, int, (char **dataptr, size_t *data_size,
+			 size_t *used_size, XpmColor *colors,
 			 unsigned int ncolors, unsigned int cpp));
 
-LFUNC(WritePixels, void, (char *dataptr, unsigned int *used_size,
+LFUNC(WritePixels, void, (char *dataptr, size_t *used_size,
 			  unsigned int width, unsigned int height,
 			  unsigned int cpp, unsigned int *pixels,
 			  XpmColor *colors));
 
-LFUNC(WriteExtensions, void, (char *dataptr, unsigned int *used_size,
+LFUNC(WriteExtensions, void, (char *dataptr, size_t *used_size,
 			      XpmExtension *ext, unsigned int num));
 
-LFUNC(ExtensionsSize, int, (XpmExtension *ext, unsigned int num));
-LFUNC(CommentsSize, int, (XpmInfo *info));
+LFUNC(ExtensionsSize, size_t, (XpmExtension *ext, unsigned int num));
+LFUNC(CommentsSize, size_t, (XpmInfo *info));
 
 int
 XpmCreateBufferFromImage(display, buffer_return, image, shapeimage, attributes)
@@ -113,10 +113,11 @@
     /* calculation variables */
     int ErrorStatus;
     char buf[BUFSIZ];
-    unsigned int cmts, extensions, ext_size = 0;
-    unsigned int l, cmt_size = 0;
+    unsigned int cmts, extensions;
+    size_t ext_size = 0;
+    size_t l, cmt_size = 0;
     char *ptr = NULL, *p;
-    unsigned int ptr_size, used_size;
+    size_t ptr_size, used_size;
 
     *buffer_return = NULL;
 
@@ -253,8 +254,8 @@
 static int
 WriteColors(dataptr, data_size, used_size, colors, ncolors, cpp)
     char **dataptr;
-    unsigned int *data_size;
-    unsigned int *used_size;
+    size_t *data_size;
+    size_t *used_size;
     XpmColor *colors;
     unsigned int ncolors;
     unsigned int cpp;
@@ -299,7 +300,7 @@
 static void
 WritePixels(dataptr, used_size, width, height, cpp, pixels, colors)
     char *dataptr;
-    unsigned int *used_size;
+    size_t *used_size;
     unsigned int width;
     unsigned int height;
     unsigned int cpp;
@@ -329,12 +330,13 @@
     *used_size += s - dataptr;
 }
 
-static int
+static size_t
 ExtensionsSize(ext, num)
     XpmExtension *ext;
     unsigned int num;
 {
-    unsigned int x, y, a, size;
+    unsigned int x, y, a;
+    size_t size;
     char **line;
 
     size = 0;
@@ -353,7 +355,7 @@
 static void
 WriteExtensions(dataptr, used_size, ext, num)
     char *dataptr;
-    unsigned int *used_size;
+    size_t *used_size;
     XpmExtension *ext;
     unsigned int num;
 {
@@ -384,11 +386,11 @@
     *used_size += s - dataptr + 13;
 }
 
-static int
+static size_t
 CommentsSize(info)
     XpmInfo *info;
 {
-    int size = 0;
+    size_t size = 0;
 
     /* 5 = 2 (for "/_*") + 3 (for "*_/\n") */
     if (info->hints_cmt)
--- lib/Xm/XpmCrDatFrI.c
+++ lib/Xm/XpmCrDatFrI.c
@@ -134,8 +134,6 @@
      */
     header_nlines = 1 + image->ncolors;
     header_size = sizeof(char *) * header_nlines;
-    if (header_size >= SIZE_MAX / sizeof(char *))
-	return (XpmNoMemory);
     header = (char **) XpmCalloc(header_size, sizeof(char *));
     if (!header)
 	return (XpmNoMemory);
--- lib/Xm/XpmI.h
+++ lib/Xm/XpmI.h
@@ -179,26 +179,14 @@
 		boundCheckingCalloc((long)(nelem),(long) (elsize))
 #endif
 
-#if defined(SCO) || defined(__USLC__)
-#include <stdint.h>	/* For SIZE_MAX */
-#endif
-#include <limits.h>
-#ifndef SIZE_MAX
-# ifdef ULONG_MAX
-#  define SIZE_MAX ULONG_MAX
-# else 
-#  define SIZE_MAX UINT_MAX
-# endif
-#endif
-
 #define XPMMAXCMTLEN BUFSIZ
 typedef struct {
     unsigned int type;
     union {
 	FILE *file;
-	char **data;
+	unsigned char **data;
     }     stream;
-    char *cptr;
+    unsigned char *cptr;
     unsigned int line;
     int CommentLength;
     char Comment[XPMMAXCMTLEN];
@@ -288,9 +276,9 @@
 }      *xpmHashAtom;
 
 typedef struct {
-    unsigned int size;
-    unsigned int limit;
-    unsigned int used;
+    int size;
+    int limit;
+    int used;
     xpmHashAtom *atomTable;
 }      xpmHashTable;
 
--- lib/Xm/XpmRdFToI.c
+++ lib/Xm/XpmRdFToI.c
@@ -124,6 +124,27 @@
     return (ErrorStatus);
 }
 
+
+/* Quote filename and prepend prefix. */
+static char *quote_file(prefix, filename, len)
+    const char *prefix, *filename;
+    size_t len;
+{
+    char *buf = XpmMalloc(strlen(prefix) + len * 2 + 1);
+    char *p = buf, *q;
+
+    if (!buf)
+	return 0;
+    strcpy(p, prefix);
+    p += strlen(p);
+    for (q = filename; *q; q++) {
+	*p++ = '\\';
+	*p++ = *q;
+    }
+    return buf;
+}
+  
+
 /*
  * open the given file to be read as an xpmData which is returned.
  */
@@ -133,7 +154,7 @@
     xpmData *mdata;
 {
 #ifndef NO_ZPIPE
-    char *compressfile, buf[(2*MAXPATHLEN) + 1];
+    char *compressfile, *buf;
 # ifdef STAT_ZFILE
     struct stat status;
 # endif
@@ -144,17 +165,25 @@
 	mdata->type = XPMFILE;
     } else {
 #ifndef NO_ZPIPE
-	int len = strlen(filename);
+	size_t len = strlen(filename);
 	if ((len > 2) && !strcmp(".Z", filename + (len - 2))) {
 	    mdata->type = XPMPIPE;
-	    sprintf(buf, "uncompress -c \"%s\"", filename);
-	    if (!(mdata->stream.file = popen(buf, "r")))
+	    buf = quote_file("uncompress -c ", filename, len);
+	    if (!buf)
+		return (XpmNoMemory);
+	    mdata->stream.file = popen(buf, "r");
+	    XpmFree(buf);
+	    if (!mdata->stream.file)
 		return (XpmOpenFailed);
 
 	} else if ((len > 3) && !strcmp(".gz", filename + (len - 3))) {
 	    mdata->type = XPMPIPE;
-	    sprintf(buf, "gunzip -qc \"%s\"", filename);
-	    if (!(mdata->stream.file = popen(buf, "r")))
+	    buf = quote_file("gunzip -qc ", filename, len);
+	    if (!buf)
+		return (XpmNoMemory);
+	    mdata->stream.file = popen(buf, "r");
+	    XpmFree(buf);
+	    if (!mdata->stream.file)
 		return (XpmOpenFailed);
 
 	} else {
@@ -164,28 +193,32 @@
 
 	    sprintf(compressfile, "%s.Z", filename);
 	    if (!stat(compressfile, &status)) {
-		sprintf(buf, "uncompress -c \"%s\"", compressfile);
-		if (!(mdata->stream.file = popen(buf, "r"))) {
-		    XpmFree(compressfile);
+		buf = quote_file("uncompress -c ", compressfile, len + 2);
+		XpmFree(compressfile);
+		if (!buf)
+		    return (XpmNoMemory);
+		mdata->stream.file = popen(buf, "r");
+		XpmFree(buf);
+		if (!mdata->stream.file)
 		    return (XpmOpenFailed);
-		}
 		mdata->type = XPMPIPE;
 	    } else {
 		sprintf(compressfile, "%s.gz", filename);
 		if (!stat(compressfile, &status)) {
-		    sprintf(buf, "gunzip -c \"%s\"", compressfile);
-		    if (!(mdata->stream.file = popen(buf, "r"))) {
-			XpmFree(compressfile);
+		    buf = quote_file("gunzip -c ", compressfile, len + 3);
+		    XpmFree(compressfile);
+		    if (!buf)
+			return (XpmNoMemory);
+		    mdata->stream.file = popen(buf, "r");
+		    XpmFree(buf);
+		    if (!mdata->stream.file)
 			return (XpmOpenFailed);
-		    }
 		    mdata->type = XPMPIPE;
 		} else {
+		    XpmFree(compressfile);
 # endif
 #endif
 		    if (!(mdata->stream.file = fopen(filename, "r"))) {
-#if !defined(NO_ZPIPE) && defined(STAT_ZFILE)
-			XpmFree(compressfile);
-#endif
 			return (XpmOpenFailed);
 		    }
 		    mdata->type = XPMFILE;
@@ -193,7 +226,6 @@
 # ifdef STAT_ZFILE
 		}
 	    }
-	    XpmFree(compressfile);
 # endif
 	}
 #endif
--- lib/Xm/XpmWrFFrI.c
+++ lib/Xm/XpmWrFFrI.c
@@ -117,7 +117,8 @@
 #endif
 	/* let's try to make a valid C syntax name */
 	if ((dot = index(name, '.'))) {
-	    strcpy(new_name, name);
+	    strncpy(new_name, name, sizeof(new_name));
+	    new_name[sizeof(new_name) - 1] = 0;
 	    /* change '.' to '_' */
 	    name = s = new_name;
 	    while ((dot = index(s, '.'))) {
@@ -127,7 +128,8 @@
 	}
 	if ((dot = index(name, '-'))) {
 	    if (name != new_name) {
-		strcpy(new_name, name);
+		strncpy(new_name, name, sizeof(new_name));
+		new_name[sizeof(new_name) - 1] = 0;
 		name = new_name;
 	    }
 	    /* change '-' to '_' */
@@ -243,10 +245,13 @@
     char *s, *p, *buf;
     unsigned int x, y, h;
 
+    if (height == 0)
+	return XpmFileInvalid;
+
     h = height - 1;
-    if (cpp != 0 && width >= (SIZE_MAX - 3)/cpp) 
+    if (cpp != 0 && width >= ((size_t)-1 - 3)/cpp) 
 	return XpmNoMemory;    
-    p = buf = (char *) XpmMalloc(width * cpp + 3);
+    p = buf = (char *) XpmMalloc((size_t)width * cpp + 3);
     if (!buf)
 	return (XpmNoMemory);
     *buf = '"';
@@ -293,6 +298,25 @@
     fprintf(file, ",\n\"XPMENDEXT\"");
 }
 
+/* Quote filename and prepend prefix. */
+static char *quote_file(prefix, filename, len)
+    const char *prefix, *filename;
+    size_t len;
+{
+    char *buf = XpmMalloc(strlen(prefix) + len * 2 + 1);
+    char *p = buf, *q;
+
+    if (!buf)
+	return 0;
+    strcpy(p, prefix);
+    p += strlen(p);
+    for (q = filename; *q; q++) {
+	*p++ = '\\';
+	*p++ = *q;
+    }
+    return buf;
+}
+
 /*
  * open the given file to be written as an xpmData which is returned
  */
@@ -302,7 +326,7 @@
     xpmData *mdata;
 {
 #ifndef NO_ZPIPE
-    char buf[BUFSIZ];
+    char *buf;
 
 #endif
 
@@ -311,16 +335,24 @@
 	mdata->type = XPMFILE;
     } else {
 #ifndef NO_ZPIPE
-	int len = strlen(filename);
+	size_t len = strlen(filename);
 	if (len > 2 && !strcmp(".Z", filename + (len - 2))) {
-	    sprintf(buf, "compress > \"%s\"", filename);
-	    if (!(mdata->stream.file = popen(buf, "w")))
+	    buf = quote_file("compress > ", filename, len);
+	    if (!buf)
+		return XpmNoMemory;
+	    mdata->stream.file = popen(buf, "w");
+	    XpmFree(buf);
+	    if (!mdata->stream.file)
 		return (XpmOpenFailed);
 
 	    mdata->type = XPMPIPE;
 	} else if (len > 3 && !strcmp(".gz", filename + (len - 3))) {
-	    sprintf(buf, "gzip -q > \"%s\"", filename);
-	    if (!(mdata->stream.file = popen(buf, "w")))
+	    buf = quote_file("gzip -q > ", filename, len);
+	    if (!buf)
+		return XpmNoMemory;
+	    mdata->stream.file = popen(buf, "w");
+	    XpmFree(buf);
+	    if (!mdata->stream.file)
 		return (XpmOpenFailed);
 
 	    mdata->type = XPMPIPE;
--- lib/Xm/Xpmcreate.c
+++ lib/Xm/Xpmcreate.c
@@ -804,9 +804,6 @@
 
     ErrorStatus = XpmSuccess;
 
-    if (image->ncolors >= SIZE_MAX / sizeof(Pixel)) 
-	return (XpmNoMemory);
-
     /* malloc pixels index tables */
     image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * image->ncolors);
     if (!image_pixels)
@@ -950,8 +947,6 @@
 	return (XpmNoMemory);
 
 #ifndef FOR_MSW
-    if (height != 0 && (*image_return)->bytes_per_line >= SIZE_MAX / height)
-        return (XpmNoMemory);
     /* now that bytes_per_line must have been set properly alloc data */
     (*image_return)->data =
 	(char *) XpmMalloc((*image_return)->bytes_per_line * height);
@@ -1997,9 +1992,6 @@
 	xpmGetCmt(data, &colors_cmt);
 
     /* malloc pixels index tables */
-    if (ncolors >= SIZE_MAX / sizeof(Pixel)) 
-	return XpmNoMemory;
-
     image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * ncolors);
     if (!image_pixels)
 	RETURN(XpmNoMemory);
@@ -2215,9 +2207,6 @@
 	{
 	    unsigned short colidx[256];
 
- 	    if (ncolors > 256)
- 		return (XpmFileInvalid);
-
 	    bzero((char *)colidx, 256 * sizeof(short));
 	    for (a = 0; a < ncolors; a++)
 		colidx[(unsigned char)colorTable[a].string[0]] = a + 1;
@@ -2316,9 +2305,6 @@
 	    char *s;
 	    char buf[BUFSIZ];
 
-	    if (cpp >= sizeof(buf))
-		return (XpmFileInvalid);
-
 	    buf[cpp] = '\0';
 	    if (USE_HASHTABLE) {
 		xpmHashAtom *slot;
--- lib/Xm/Xpmdata.c
+++ lib/Xm/Xpmdata.c
@@ -297,7 +297,7 @@
 
     if (!mdata->type || mdata->type == XPMBUFFER) {
 	if (mdata->cptr) {
-	    char *start = mdata->cptr;
+	    unsigned char *start = mdata->cptr;
 	    while ((c = *mdata->cptr) && c != mdata->Eos)
 		mdata->cptr++;
 	    n = mdata->cptr - start + 1;
@@ -376,7 +376,7 @@
 {
     if (!mdata->type)
 	*cmt = NULL;
-    else if (mdata->CommentLength != 0 && mdata->CommentLength < SIZE_MAX - 1) {
+    else if (mdata->CommentLength) {
 	*cmt = (char *) XpmMalloc(mdata->CommentLength + 1);
 	strncpy(*cmt, mdata->Comment, mdata->CommentLength);
 	(*cmt)[mdata->CommentLength] = '\0';
--- lib/Xm/Xpmhashtab.c
+++ lib/Xm/Xpmhashtab.c
@@ -141,17 +141,17 @@
     xpmHashTable *table;
 {
     xpmHashAtom *atomTable = table->atomTable;
-    unsigned int size = table->size;
+    int size = table->size;
     xpmHashAtom *t, *p;
     int i;
     int oldSize = size;
 
     t = atomTable;
     HASH_TABLE_GROWS
-	table->size = size;
-    table->limit = size / 3;
-    if (size >= SIZE_MAX / sizeof(*atomTable)) 
+    if (size <= 0)
 	return (XpmNoMemory);
+    table->size = size;
+    table->limit = size / 3;
     atomTable = (xpmHashAtom *) XpmMalloc(size * sizeof(*atomTable));
     if (!atomTable)
 	return (XpmNoMemory);
@@ -212,8 +212,6 @@
     table->size = INITIAL_HASH_SIZE;
     table->limit = table->size / 3;
     table->used = 0;
-    if (table->size >= SIZE_MAX / sizeof(*atomTable))
-	return (XpmNoMemory);
     atomTable = (xpmHashAtom *) XpmMalloc(table->size * sizeof(*atomTable));
     if (!atomTable)
 	return (XpmNoMemory);
--- lib/Xm/Xpmmisc.c
+++ lib/Xm/Xpmmisc.c
@@ -52,7 +52,7 @@
     char *s1;
 {
     char *s2;
-    int l = strlen(s1) + 1;
+    size_t l = strlen(s1) + 1;
 
     if (s2 = (char *) XpmMalloc(l))
 	strcpy(s2, s1);
--- lib/Xm/Xpmparse.c
+++ lib/Xm/Xpmparse.c
@@ -46,25 +46,6 @@
 
 #include "XpmI.h"
 #include <ctype.h>
-#include <string.h>
- 
-#ifdef HAS_STRLCAT
-# define STRLCAT(dst, src, dstsize) { \
-       if (strlcat(dst, src, dstsize) >= (dstsize)) \
-           return (XpmFileInvalid); }
-# define STRLCPY(dst, src, dstsize) { \
-       if (strlcpy(dst, src, dstsize) >= (dstsize)) \
-           return (XpmFileInvalid); }
-#else
-# define STRLCAT(dst, src, dstsize) { \
-       if ((strlen(dst) + strlen(src)) < (dstsize)) \
-           strcat(dst, src); \
-       else return (XpmFileInvalid); }
-# define STRLCPY(dst, src, dstsize) { \
-       if (strlen(src) < (dstsize)) \
-           strcpy(dst, src); \
-       else return (XpmFileInvalid); }
-#endif
 
 LFUNC(ParsePixels, int, (xpmData *data, unsigned int width,
 			 unsigned int height, unsigned int ncolors,
@@ -234,7 +215,7 @@
     unsigned int *extensions;
 {
     unsigned int l;
-    char buf[BUFSIZ + 1];
+    char buf[BUFSIZ];
 
     if (!data->format) {		/* XPM 2 or 3 */
 
@@ -332,6 +313,17 @@
 	*hotspot = 0;
 	*extensions = 0;
     }
+
+    /* Do some plausibility checks.  */
+    if (*width == 0 || *height == 0 || *ncolors == 0 || *cpp == 0)
+	return XpmFileInvalid;
+    if (*cpp > 8)
+	return XpmFileInvalid;
+    if (*width > (1 << (sizeof(int) * 8 - 4)) / *height)
+	return XpmFileInvalid;
+    if (*ncolors > (1 << (sizeof(int) * 8 - 4)) / (*width * *height))
+	return XpmFileInvalid;
+
     return (XpmSuccess);
 }
 
@@ -343,10 +335,10 @@
     XpmColor **colorTablePtr;
     xpmHashTable *hashtable;
 {
-    unsigned int key, l, a, b, len;
+    unsigned int key, l, a, b;
     unsigned int curkey;		/* current color key */
     unsigned int lastwaskey;		/* key read */
-    char buf[BUFSIZ + 1];
+    char buf[BUFSIZ];
     char curbuf[BUFSIZ];		/* current buffer */
     char **sptr, *s;
     XpmColor *color;
@@ -354,8 +346,6 @@
     char **defaults;
     int ErrorStatus;
 
-    if (ncolors >= SIZE_MAX / sizeof(XpmColor))
-        return (XpmNoMemory);
     colorTable = (XpmColor *) XpmCalloc(ncolors, sizeof(XpmColor));
     if (!colorTable)
 	return (XpmNoMemory);
@@ -367,10 +357,6 @@
 	    /*
 	     * read pixel value
 	     */
-	    if (cpp >= SIZE_MAX - 1) {
-	        xpmFreeColorTable(colorTable, ncolors);
-		return (XpmNoMemory);
-	    }
 	    color->string = (char *) XpmMalloc(cpp + 1);
 	    if (!color->string) {
 		xpmFreeColorTable(colorTable, ncolors);
@@ -408,14 +394,13 @@
 		}
 		if (!lastwaskey && key < NKEYS) {	/* open new key */
 		    if (curkey) {	/* flush string */
-		        len = strlen(curbuf) + 1;
-			s = (char *) XpmMalloc(len);
+			s = (char *) XpmMalloc(strlen(curbuf) + 1);
 			if (!s) {
 			    xpmFreeColorTable(colorTable, ncolors);
 			    return (XpmNoMemory);
 			}
 			defaults[curkey] = s;
-			memcpy(s, curbuf, len);
+			strcpy(s, curbuf);
 		    }
 		    curkey = key + 1;	/* set new key  */
 		    *curbuf = '\0';	/* reset curbuf */
@@ -425,10 +410,14 @@
 			xpmFreeColorTable(colorTable, ncolors);
 			return (XpmFileInvalid);
 		    }
+		    if (strlen(curbuf) + l + 2 >= sizeof(curbuf)) {
+			xpmFreeColorTable(colorTable, ncolors);
+			return (XpmNoMemory);
+		    }
 		    if (!lastwaskey)
-		        STRLCAT(curbuf, " ", sizeof(curbuf)); /* append space */
+			strcat(curbuf, " ");	/* append space */
 		    buf[l] = '\0';
-		    STRLCAT(curbuf, buf, sizeof(curbuf));/* append buf */
+		    strcat(curbuf, buf);/* append buf */
 		    lastwaskey = 0;
 		}
 	    }
@@ -436,13 +425,12 @@
 		xpmFreeColorTable(colorTable, ncolors);
 		return (XpmFileInvalid);
 	    }
-	    len = strlen(curbuf) + 1;
-	    s = defaults[curkey] = (char *) XpmMalloc(len);
+	    s = defaults[curkey] = (char *) XpmMalloc(strlen(curbuf) + 1);
 	    if (!s) {
 		xpmFreeColorTable(colorTable, ncolors);
 		return (XpmNoMemory);
 	    }
-	    memcpy(s, curbuf, len);
+	    strcpy(s, curbuf);
 	}
     } else {				/* XPM 1 */
 	/* get to the beginning of the first string */
@@ -455,10 +443,6 @@
 	    /*
 	     * read pixel value
 	     */
-	    if (cpp >= SIZE_MAX - 1) {
-	        xpmFreeColorTable(colorTable, ncolors);
-		return (XpmNoMemory);
-	    }
 	    color->string = (char *) XpmMalloc(cpp + 1);
 	    if (!color->string) {
 		xpmFreeColorTable(colorTable, ncolors);
@@ -486,18 +470,21 @@
 	    xpmNextString(data);	/* get to the next string */
 	    *curbuf = '\0';		/* init curbuf */
 	    while ((l = xpmNextWord(data, buf, BUFSIZ))) {
+		if (strlen(curbuf) + l + 2 >= sizeof(curbuf)) {
+		    xpmFreeColorTable(colorTable, ncolors);
+		    return (XpmNoMemory);
+		}
 		if (*curbuf != '\0')
-		    STRLCAT(curbuf, " ", sizeof(curbuf));/* append space */
+		    strcat(curbuf, " ");/* append space */
 		buf[l] = '\0';
-		STRLCAT(curbuf, buf, sizeof(curbuf));   /* append buf */
+		strcat(curbuf, buf);	/* append buf */
 	    }
-	    len = strlen(curbuf) + 1;
-	    s = (char *) XpmMalloc(len);
+	    s = (char *) XpmMalloc(strlen(curbuf) + 1);
 	    if (!s) {
 		xpmFreeColorTable(colorTable, ncolors);
 		return (XpmNoMemory);
 	    }
-	    memcpy(s, curbuf, len);
+	    strcpy(s, curbuf);
 	    color->c_color = s;
 	    *curbuf = '\0';		/* reset curbuf */
 	    if (a < ncolors - 1)
@@ -522,9 +509,6 @@
     unsigned int *iptr, *iptr2;
     unsigned int a, x, y;
 
-    if ((height > 0 && width >= SIZE_MAX / height) ||
-	width * height >= SIZE_MAX / sizeof(unsigned int)) 
-        return XpmNoMemory;
 #ifndef FOR_MSW
     iptr2 = (unsigned int *) XpmMalloc(sizeof(unsigned int) * width * height);
 #else
@@ -548,9 +532,6 @@
 	{
 	    unsigned short colidx[256];
 
-	    if (ncolors > 256)
-	        return (XpmFileInvalid);
-
 	    bzero((char *)colidx, 256 * sizeof(short));
 	    for (a = 0; a < ncolors; a++)
 		colidx[(unsigned char)colorTable[a].string[0]] = a + 1;
@@ -585,7 +566,7 @@
 
 	    bzero((char *)cidx, 256 * sizeof(unsigned short *)); /* init */
 	    for (a = 0; a < ncolors; a++) {
-		char1 = colorTable[a].string[0];
+		char1 = (unsigned char)colorTable[a].string[0];
 		if (cidx[char1] == NULL) { /* get new memory */
 		    cidx[char1] = (unsigned short *)
 			XpmCalloc(256, sizeof(unsigned short));
@@ -628,9 +609,6 @@
 	    char *s;
 	    char buf[BUFSIZ];
 
-	    if (cpp >= sizeof(buf))
-	        return (XpmFileInvalid);
-
 	    buf[cpp] = '\0';
 	    if (USE_HASHTABLE) {
 		xpmHashAtom *slot;
--- lib/Xm/Xpmscan.c
+++ lib/Xm/Xpmscan.c
@@ -98,8 +98,7 @@
 LFUNC(ScanTransparentColor, int, (XpmColor *color, unsigned int cpp,
 				  XpmAttributes *attributes));
 
-LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors, 
-			     unsigned int ncolors, 
+LFUNC(ScanOtherColors, int, (Display *display, XpmColor *colors, int ncolors,
 			     Pixel *pixels, unsigned int mask,
 			     unsigned int cpp, XpmAttributes *attributes));
 
@@ -226,17 +225,11 @@
     else
 	cpp = 0;
 
-    if ((height > 0 && width >= SIZE_MAX / height) ||
-	width * height >= SIZE_MAX / sizeof(unsigned int))
-	RETURN(XpmNoMemory);
     pmap.pixelindex =
 	(unsigned int *) XpmCalloc(width * height, sizeof(unsigned int));
     if (!pmap.pixelindex)
 	RETURN(XpmNoMemory);
 
-    if (pmap.size >= SIZE_MAX / sizeof(Pixel)) 
-	RETURN(XpmNoMemory);
-
     pmap.pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * pmap.size);
     if (!pmap.pixels)
 	RETURN(XpmNoMemory);
@@ -291,8 +284,7 @@
      * get rgb values and a string of char, and possibly a name for each
      * color
      */
-    if (pmap.ncolors >= SIZE_MAX / sizeof(XpmColor))
-	RETURN(XpmNoMemory);
+
     colorTable = (XpmColor *) XpmCalloc(pmap.ncolors, sizeof(XpmColor));
     if (!colorTable)
 	RETURN(XpmNoMemory);
@@ -340,8 +332,6 @@
 
     /* first get a character string */
     a = 0;
-    if (cpp >= SIZE_MAX - 1)
-	return (XpmNoMemory);
     if (!(s = color->string = (char *) XpmMalloc(cpp + 1)))
 	return (XpmNoMemory);
     *s++ = printable[c = a % MAXPRINTABLE];
@@ -389,7 +379,7 @@
 ScanOtherColors(display, colors, ncolors, pixels, mask, cpp, attributes)
     Display *display;
     XpmColor *colors;
-    unsigned int ncolors;
+    int ncolors;
     Pixel *pixels;
     unsigned int mask;
     unsigned int cpp;
@@ -433,8 +423,6 @@
     }
 
     /* first get character strings and rgb values */
-    if (ncolors >= SIZE_MAX / sizeof(XColor) || cpp >= SIZE_MAX - 1)
-	return (XpmNoMemory);
     xcolors = (XColor *) XpmMalloc(sizeof(XColor) * ncolors);
     if (!xcolors)
 	return (XpmNoMemory);