diff -NurdB gtk+-2.8.6/gdk-pixbuf/io-xpm.c gtk+-2.8.6-patched/gdk-pixbuf/io-xpm.c
--- gtk+-2.8.6/gdk-pixbuf/io-xpm.c	2005-03-07 22:59:45.000000000 -0500
+++ gtk+-2.8.6-patched/gdk-pixbuf/io-xpm.c	2005-10-27 11:41:12.000000000 -0500
@@ -405,7 +405,8 @@
 		/* Fall through to the xpm_read_string. */
 
 	case op_body:
-		xpm_read_string (h->infile, &h->buffer, &h->buffer_size);
+		if(!xpm_read_string (h->infile, &h->buffer, &h->buffer_size))
+			return NULL;
 		return h->buffer;
 
 	default:
@@ -500,7 +501,9 @@
                              _("XPM has invalid number of chars per pixel"));
 		return NULL;
 	}
-	if (n_col <= 0 || n_col >= G_MAXINT / (cpp + 1)) {
+	if (n_col <= 0 || 
+	    n_col >= G_MAXINT / (cpp + 1) || 
+	    n_col >= G_MAXINT / sizeof (XPMColor)) {
                 g_set_error (error,
                              GDK_PIXBUF_ERROR,
                              GDK_PIXBUF_ERROR_CORRUPT_IMAGE,