File bug-569615_01_integer-overflow-vuln.patch of Package libthai

Index: libthai-0.1.9/src/thbrk/brk-maximal.c
===================================================================
--- libthai-0.1.9.orig/src/thbrk/brk-maximal.c	2010-01-09 15:28:01.000000000 +0700
+++ libthai-0.1.9/src/thbrk/brk-maximal.c	2010-01-09 15:29:46.000000000 +0700
@@ -7,6 +7,7 @@
 
 #include <string.h>
 #include <stdlib.h>
+#include <stdint.h>
 #include <limits.h>
 #include <datrie/sb-trie.h>
 #include <thai/tis.h>
@@ -467,11 +468,14 @@
 {
     BestBrk *best_brk;
 
+    if ((size_t) n_brk_pos > SIZE_MAX / sizeof (int))
+        return NULL;
+
     best_brk = (BestBrk *) malloc (sizeof (BestBrk));
     if (!best_brk)
         return NULL;
 
-    best_brk->brk_pos = (int *) malloc (n_brk_pos * sizeof (int));
+    best_brk->brk_pos = (int *) malloc ((size_t) n_brk_pos * sizeof (int));
     if (!best_brk->brk_pos)
         goto exit1;
     best_brk->n_brk_pos = n_brk_pos;
Index: libthai-0.1.9/src/thbrk/thbrk.c
===================================================================
--- libthai-0.1.9.orig/src/thbrk/thbrk.c	2010-01-09 15:28:09.000000000 +0700
+++ libthai-0.1.9/src/thbrk/thbrk.c	2010-01-09 15:28:29.000000000 +0700
@@ -7,6 +7,7 @@
 
 #include <string.h>
 #include <stdlib.h>
+#include <stdint.h>
 #include <thai/tis.h>
 #include <thai/thctype.h>
 #include <thai/thbrk.h>
@@ -17,12 +18,16 @@
 th_brk_line (const thchar_t *in, thchar_t *out, size_t n, const char *delim)
 {
     int        *brk_pos;
-    int         n_brk_pos, i, j;
+    size_t      n_brk_pos, i, j;
     int         delim_len;
     thchar_t   *p_out;
 
     n_brk_pos = strlen ((const char *) in);
+    if (n_brk_pos > SIZE_MAX / sizeof (int))
+        return 0;
     brk_pos = (int *) malloc (n_brk_pos * sizeof (int));
+    if (!brk_pos)
+        return 0;
 
     n_brk_pos = th_brk (in, brk_pos, n_brk_pos);