diff -u imlib2-1.0.5/loaders/loader_bmp.c imlib2-1.0.5/loaders/loader_bmp.c
--- imlib2-1.0.5/loaders/loader_bmp.c
+++ imlib2-1.0.5/loaders/loader_bmp.c
@@ -134,7 +134,7 @@
 	   return 0;
         }
 	
-	if ((w > 32768) || (h>32768))
+	if ((w <= 0) || (w > 32768) || (h<=0) || (h>32768))
 	{
 	   fclose(f);
 	   return 0;
diff -u imlib2-1.0.5/debian/changelog imlib2-1.0.5/debian/changelog
--- imlib2-1.0.5/debian/changelog
+++ imlib2-1.0.5/debian/changelog
@@ -1,3 +1,11 @@
+imlib2 (1.0.5-2woody2) stable-security; urgency=high
+
+  * Non-maintainer upload by the Securty Team
+  * Backported patch from imlib to integer overflows
+    [loaders/loader_xpm.c, CAN-2004-1026]
+
+ -- Martin Schulze <joey@infodrom.org>  Thu, 23 Dec 2004 20:20:08 +0100
+
 imlib2 (1.0.5-2woody1) stable-security; urgency=high
 
   * Non-maintainer upload by the Securty Team
only in patch2:
unchanged:
--- imlib2-1.0.5.orig/loaders/loader_xpm.c
+++ imlib2-1.0.5/loaders/loader_xpm.c
@@ -120,6 +120,7 @@
    
    done = 0;
    transp = -1;
+   memset(lookup, 0, sizeof(lookup));
    
    /* if immediate_load is 1, then dont delay image laoding as below, or */
    /* already data in this image - dont load it again */
@@ -157,6 +158,9 @@
    quote = 0;
    context = 0;
    line = malloc(lsz);
+   if (!line)
+     return NULL;
+
    while (!done)
      {
 	pc = c;
@@ -185,7 +189,7 @@
 		    {
 		       /* Header */
 		       sscanf(line, "%i %i %i %i", &w, &h, &ncolors, &cpp);
-		       if (ncolors > 32766)
+		       if (ncolors <= 0 || ncolors > 32766)
 			 {
 			    fprintf(stderr, "IMLIB ERROR: XPM files with colors > 32766 not supported\n");
 			    free(line);
@@ -193,7 +197,7 @@
 			    xpm_parse_done();
 			    return 0;
 			 }
-		       if (cpp > 5)
+		       if (cpp <= 0 || cpp > 5)
 			 {
 			    fprintf(stderr, "IMLIB ERROR: XPM files with characters per pixel > 5 not supported\n");
 			    free(line);
@@ -201,7 +205,7 @@
 			    xpm_parse_done();
 			    return 0;
 			 }
-		       if (w > 32767)
+		       if (w <= 0 || w > 32767)
 			 {
 			    fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n");
 			    free(line);
@@ -209,7 +213,7 @@
 			    xpm_parse_done();
 			    return 0;
 			 }
-		       if (h > 32767)
+		       if (h <= 0 || h > 32767)
 			 {
 			    fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n");
 			    free(line);
@@ -244,11 +248,13 @@
 			 {
 			    int                 slen;
 			    int                 hascolor, iscolor;
+			    int                 space;
 			    
 			    iscolor = 0;
 			    hascolor = 0;
 			    tok[0] = 0;
 			    col[0] = 0;
+			    space = sizeof(col) - 1;
 			    s[0] = 0;
 			    len = strlen(line);
 			    strncpy(cmap[j].str, line, cpp);
@@ -271,10 +277,16 @@
 					{
 					   if (k >= len)
 					     {
-						if (col[0])
+						if (col[0] && space > 0)
+						  {
 						   strcat(col, " ");
-						if (strlen(col) + strlen(s) < sizeof(col))
+						   space--;
+						  }
+						if (slen <= space)
+						  {
 						   strcat(col, s);
+						   space -= slen;
+						  }
 					     }
 					   if (col[0])
 					     {
@@ -299,14 +311,23 @@
 						       }
 						  }
 					     }
+					   if (slen < sizeof(tok))
 					   strcpy(tok, s);
 					   col[0] = 0;
+					   space = sizeof(col) - 1;
 					}
 				      else
 					{
-					   if (col[0])
+					  if (col[0] && space > 0)
+					  {
 					      strcat(col, " ");
+					      space--;
+					  }
+					  if (slen <= space)
+					  {
 					   strcat(col, s);
+					   space -= slen;
+					  }
 					}
 				   }
 			      }