--- xen-3.2-testing.hg/tools/ioemu/vnc.c.orig	2008-09-26 11:14:21.000000000 +0200
+++ xen-3.2-testing.hg/tools/ioemu/vnc.c	2008-09-26 11:37:25.000000000 +0200
@@ -329,13 +329,23 @@
 
     vnc_write_s32(vs, encoding);
 }
-
+static int mult_overflows(int x, int y)
+{
+    if (x<=0 || y<=0 || x*y<=0 || x>((unsigned int)(-1))/y)
+        return 1;
+    else return 0;
+}
 static void vnc_dpy_resize(DisplayState *ds, int w, int h)
 {
     int size_changed;
     VncState *vs = ds->opaque;
     int o;
 
+    if (mult_overflows(w, h) || mult_overflows(w*h, vs->depth) ||
+        mult_overflows(h, sizeof(vs->dirty_row[0])) {
+        fprintf(stderr, "vnc: suspicious vnc_dpy_resize arguments, exiting\n");
+        exit(1);
+    }
     ds->data = realloc(ds->data, w * h * vs->depth);
     vs->old_data = realloc(vs->old_data, w * h * vs->depth);
     vs->dirty_row = realloc(vs->dirty_row, h * sizeof(vs->dirty_row[0]));