--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/open-src/xserver/xorg/6635740.patch	Tue Dec 18 17:27:36 2007 -0800
@@ -0,0 +1,98 @@
+--- xorg-server-1.1.1/Xext/shm.c.freedesktop-bug-13520	2006-07-06 04:31:36.000000000 +1000
++++ xorg-server-1.1.1/Xext/shm.c	2007-12-14 13:08:59.000000000 +1000
+@@ -725,6 +725,8 @@
+     int i, j, result;
+     ShmDescPtr shmdesc;
+     REQUEST(xShmCreatePixmapReq);
++    unsigned int width, height, depth;
++    unsigned long size;
+     PanoramiXRes *newPix;
+ 
+     REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
+@@ -734,11 +736,26 @@
+     LEGAL_NEW_RESOURCE(stuff->pid, client);
+     VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
+     VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
+-    if (!stuff->width || !stuff->height)
++
++    width = stuff->width;
++    height = stuff->height;
++    depth = stuff->depth;
++    if (!width || !height || !depth)
+     {
+ 	client->errorValue = 0;
+         return BadValue;
+     }
++    if (width > 32767 || height > 32767)
++        return BadAlloc;
++    size = PixmapBytePad(width, depth) * height;
++    if (sizeof(size) == 4) {
++        if (size < width * height)
++            return BadAlloc;
++        /* thankfully, offset is unsigned */
++        if (stuff->offset + size < size)
++            return BadAlloc;
++    }
++
+     if (stuff->depth != 1)
+     {
+         pDepth = pDraw->pScreen->allowedDepths;
+@@ -749,9 +766,7 @@
+         return BadValue;
+     }
+ CreatePmap:
+-    VERIFY_SHMSIZE(shmdesc, stuff->offset,
+-		   PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
+-		   client);
++    VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
+ 
+     if(!(newPix = (PanoramiXRes *) xalloc(sizeof(PanoramiXRes))))
+ 	return BadAlloc;
+@@ -1049,6 +1064,8 @@
+     register int i;
+     ShmDescPtr shmdesc;
+     REQUEST(xShmCreatePixmapReq);
++    unsigned int width, height, depth;
++    unsigned long size;
+ 
+     REQUEST_SIZE_MATCH(xShmCreatePixmapReq);
+     client->errorValue = stuff->pid;
+@@ -1057,11 +1074,26 @@
+     LEGAL_NEW_RESOURCE(stuff->pid, client);
+     VERIFY_GEOMETRABLE(pDraw, stuff->drawable, client);
+     VERIFY_SHMPTR(stuff->shmseg, stuff->offset, TRUE, shmdesc, client);
+-    if (!stuff->width || !stuff->height)
++    
++    width = stuff->width;
++    height = stuff->height;
++    depth = stuff->depth;
++    if (!width || !height || !depth)
+     {
+ 	client->errorValue = 0;
+         return BadValue;
+     }
++    if (width > 32767 || height > 32767)
++	return BadAlloc;
++    size = PixmapBytePad(width, depth) * height;
++    if (sizeof(size) == 4) {
++	if (size < width * height)
++	    return BadAlloc;
++	/* thankfully, offset is unsigned */
++	if (stuff->offset + size < size)
++	    return BadAlloc;
++    }
++
+     if (stuff->depth != 1)
+     {
+         pDepth = pDraw->pScreen->allowedDepths;
+@@ -1072,9 +1104,7 @@
+         return BadValue;
+     }
+ CreatePmap:
+-    VERIFY_SHMSIZE(shmdesc, stuff->offset,
+-		   PixmapBytePad(stuff->width, stuff->depth) * stuff->height,
+-		   client);
++    VERIFY_SHMSIZE(shmdesc, stuff->offset, size, client);
+     pMap = (*shmFuncs[pDraw->pScreen->myNum]->CreatePixmap)(
+ 			    pDraw->pScreen, stuff->width,
+ 			    stuff->height, stuff->depth,

--- a/open-src/xserver/xorg/patch-list	Fri Dec 14 16:23:01 2007 -0800
+++ b/open-src/xserver/xorg/patch-list	Tue Dec 18 17:27:36 2007 -0800
@@ -50,3 +50,4 @@
 xv-swap.patch
 6635727.patch,-p1
 6636174.patch,-p1
+6635740.patch,-p1