Index: lib/font/Type1/afm.c
===================================================================
RCS file: /cvs/xorg/xc/lib/font/Type1/afm.c,v
retrieving revision 1.2
diff -u -u -r1.2 afm.c
--- lib/font/Type1/afm.c	23 Apr 2004 18:44:08 -0000	1.2
+++ lib/font/Type1/afm.c	12 Sep 2006 07:55:43 -0000
@@ -22,6 +22,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
+#include <limits.h>
 #else
 #include "Xmd.h"        /* For INT32 declaration */
 #include "Xdefs.h"      /* For Bool */
@@ -111,6 +112,11 @@
             
             fi->nChars = atoi(p);
 
+	    if (fi->nChars < 0 || fi->nChars > INT_MAX / sizeof(Metrics)) {
+		xfree(afmbuf);
+		xfree(fi);
+		return(1);
+	    }
             fi->metrics = (Metrics *)xalloc(fi->nChars * 
                 sizeof(Metrics));
             if (fi->metrics == NULL) {
Index: lib/font/Type1/scanfont.c
===================================================================
RCS file: /cvs/xorg/xc/lib/font/Type1/scanfont.c,v
retrieving revision 1.2
diff -u -u -r1.2 scanfont.c
--- lib/font/Type1/scanfont.c	23 Apr 2004 18:44:09 -0000	1.2
+++ lib/font/Type1/scanfont.c	12 Sep 2006 07:55:43 -0000
@@ -1,4 +1,4 @@
-/* $XdotOrg: xc/lib/font/Type1/scanfont.c,v 1.2 2004-04-23 18:44:09 eich Exp $ */
+/* $XdotOrg: scanfont.c,v 1.3 2000/08/17 19:46:32 cpqbld Exp $ */
 /* $Xorg: scanfont.c,v 1.3 2000/08/17 19:46:32 cpqbld Exp $ */
 /* Copyright International Business Machines,Corp. 1991
  * All Rights Reserved
@@ -50,6 +50,7 @@
 
 #ifndef FONTMODULE
 #include <string.h>
+#include <limits.h>
 #else
 #include "Xdefs.h"	/* Bool declaration */
 #include "Xmd.h"	/* INT32 declaration */
@@ -647,6 +648,7 @@
   arrayP->data.valueP = tokenStartP;
 
   /* allocate FDArray */
+  /* No integer overflow since arrayP->len is unsigned short */
   FDArrayP = (psfont *)vm_alloc(arrayP->len*(sizeof(psfont)));
   if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY);
 
@@ -843,7 +845,8 @@
      }
      return(SCAN_OK);
    }
- 
+   if (N > INT_MAX / sizeof(psobj)) 
+       return (SCAN_ERROR);
    arrayP = (psobj *)vm_alloc(N*sizeof(psobj));
    if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY);
    FontP->Subrs.len = N;
@@ -904,7 +907,7 @@
      }
      else return(rc);  /* if next token was not an Int */
    }
-   if (N<=0) return(SCAN_ERROR);
+   if (N<=0 || N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR);
    /* save number of entries in the dictionary */
  
    dictP = (psdict *)vm_alloc((N+1)*sizeof(psdict));
@@ -1712,6 +1715,10 @@
     if (tokenType == TOKEN_INTEGER)
       rangecnt = tokenValue.integer;
 
+    if (rangecnt < 0 || rangecnt > INT_MAX / sizeof(spacerangecode)) {
+	rc = SCAN_ERROR;
+	break;
+    }
     /* ==> tokenLength, tokenTooLong, tokenType, and */
     /* tokenValue are now set                        */
 
Index: lib/font/Type1/util.c
===================================================================
RCS file: /cvs/xorg/xc/lib/font/Type1/util.c,v
retrieving revision 1.2
diff -u -u -r1.2 util.c
--- lib/font/Type1/util.c	23 Apr 2004 18:44:09 -0000	1.2
+++ lib/font/Type1/util.c	12 Sep 2006 07:55:43 -0000
@@ -97,7 +97,7 @@
   bytes = (bytes + 7) & ~7;
  
   /* Allocate the space, if it is available */
-  if (bytes <= vm_free) {
+  if (bytes > 0 && bytes <= vm_free) {
     answer = vm_next;
     vm_free -= bytes;
     vm_next += bytes;