diff -up cairo-1.2.4/src/cairo-pattern.c.alloc-overflow cairo-1.2.4/src/cairo-pattern.c
--- cairo-1.2.4/src/cairo-pattern.c.alloc-overflow	2006-08-18 10:20:16.000000000 -0400
+++ cairo-1.2.4/src/cairo-pattern.c	2007-11-28 11:18:25.000000000 -0500
@@ -596,7 +596,7 @@ _cairo_pattern_add_color_stop (cairo_gra
     cairo_fixed_t	   x;
     unsigned int	   i;
 
-    new_stops = realloc (pattern->stops, (pattern->n_stops + 1) *
+    new_stops = _cairo_realloc_ab (pattern->stops, (pattern->n_stops + 1),
 			 sizeof (pixman_gradient_stop_t));
     if (new_stops == NULL)
     {
diff -up cairo-1.2.4/src/cairo-directfb-surface.c.alloc-overflow cairo-1.2.4/src/cairo-directfb-surface.c
--- cairo-1.2.4/src/cairo-directfb-surface.c.alloc-overflow	2006-08-18 10:20:16.000000000 -0400
+++ cairo-1.2.4/src/cairo-directfb-surface.c	2007-11-28 11:18:25.000000000 -0500
@@ -1109,7 +1109,7 @@ _cairo_directfb_surface_set_clip_region 
             if( surface->clips )
                 free (surface->clips);
             
-            surface->clips = malloc (n_boxes * sizeof(DFBRegion));
+            surface->clips = _cairo_malloc_ab (n_boxes, sizeof(DFBRegion));
             if (!surface->clips) {
                 surface->n_clips = 0;
                 return CAIRO_STATUS_NO_MEMORY;
diff -up cairo-1.2.4/src/cairo-unicode.c.alloc-overflow cairo-1.2.4/src/cairo-unicode.c
--- cairo-1.2.4/src/cairo-unicode.c.alloc-overflow	2006-08-10 16:14:46.000000000 -0400
+++ cairo-1.2.4/src/cairo-unicode.c	2007-11-28 11:18:25.000000000 -0500
@@ -242,7 +242,7 @@ _cairo_utf8_to_ucs4 (const unsigned char
 	in = UTF8_NEXT_CHAR (in);
     }
 
-    str32 = malloc (sizeof (uint32_t) * (n_chars + 1));
+    str32 = _cairo_malloc_ab (n_chars + 1, sizeof (uint32_t));
     if (!str32)
 	return CAIRO_STATUS_NO_MEMORY;
 
@@ -309,7 +309,7 @@ _cairo_utf8_to_utf16 (const unsigned cha
 	in = UTF8_NEXT_CHAR (in);
     }
 
-    str16 = malloc (sizeof (uint16_t) * (n16 + 1));
+    str16 = _cairo_malloc_ab (n16 + 1, sizeof (uint16_t));
     if (!str16)
 	return CAIRO_STATUS_NO_MEMORY;
 
diff -up cairo-1.2.4/src/cairo-beos-surface.cpp.alloc-overflow cairo-1.2.4/src/cairo-beos-surface.cpp
--- cairo-1.2.4/src/cairo-beos-surface.cpp.alloc-overflow	2006-08-10 16:14:46.000000000 -0400
+++ cairo-1.2.4/src/cairo-beos-surface.cpp	2007-11-28 11:18:25.000000000 -0500
@@ -258,7 +258,7 @@ premultiply_rgba (unsigned char* data,
 		  int            height,
 		  int            stride)
 {
-    unsigned char* retdata = reinterpret_cast<unsigned char*>(malloc(stride * height));
+    unsigned char* retdata = reinterpret_cast<unsigned char*>(_cairo_malloc_ab(height, stride));
     if (!retdata)
 	return NULL;
 
@@ -321,7 +321,7 @@ _cairo_beos_bitmap_to_surface (BBitmap* 
 					bitmap->BytesPerRow());
     } else {
 	premultiplied = reinterpret_cast<unsigned char*>(
-					malloc(bitmap->BytesPerRow() * height));
+					_cairo_malloc_ab(bitmap->BytesPerRow(), height));
 	if (premultiplied)
 	    memcpy(premultiplied, bits, bitmap->BytesPerRow() * height);
     }
diff -up cairo-1.2.4/src/cairo-pdf-surface.c.alloc-overflow cairo-1.2.4/src/cairo-pdf-surface.c
--- cairo-1.2.4/src/cairo-pdf-surface.c.alloc-overflow	2006-08-18 19:11:58.000000000 -0400
+++ cairo-1.2.4/src/cairo-pdf-surface.c	2007-11-28 11:18:25.000000000 -0500
@@ -1077,7 +1077,7 @@ emit_pattern_stops (cairo_pdf_surface_t 
 
     function = _cairo_pdf_surface_new_object (surface);
 
-    allstops = malloc ((pattern->n_stops + 2) * sizeof (cairo_pdf_color_stop_t));
+    allstops = _cairo_malloc_ab ((pattern->n_stops + 2), sizeof (cairo_pdf_color_stop_t));
     if (allstops == NULL) {
 	_cairo_error (CAIRO_STATUS_NO_MEMORY);
 	function.id = 0;
@@ -1941,7 +1941,7 @@ _cairo_pdf_surface_emit_type3_font_subse
     cairo_matrix_t matrix;
     unsigned int i;
 
-    glyphs = malloc (font_subset->num_glyphs * sizeof (cairo_pdf_resource_t));
+    glyphs = _cairo_malloc_ab (font_subset->num_glyphs, sizeof (cairo_pdf_resource_t));
     if (glyphs == NULL) {
 	_cairo_surface_set_error (&surface->base, CAIRO_STATUS_NO_MEMORY);
 	return CAIRO_STATUS_NO_MEMORY;
diff -up cairo-1.2.4/src/cairo-win32-surface.c.alloc-overflow cairo-1.2.4/src/cairo-win32-surface.c
--- cairo-1.2.4/src/cairo-win32-surface.c.alloc-overflow	2006-08-10 16:14:46.000000000 -0400
+++ cairo-1.2.4/src/cairo-win32-surface.c	2007-11-28 11:18:25.000000000 -0500
@@ -127,7 +127,7 @@ _create_dc_and_bitmap (cairo_win32_surfa
     }
 
     if (num_palette > 2) {
-	bitmap_info = malloc (sizeof (BITMAPINFOHEADER) + num_palette * sizeof (RGBQUAD));
+	bitmap_info = _cairo_malloc_ab_plus_c (num_palette, sizeof(RGBQUAD), sizeof(BITMAPINFOHEADER));
 	if (!bitmap_info)
 	    return CAIRO_STATUS_NO_MEMORY;
     } else {
@@ -1038,8 +1038,8 @@ _cairo_win32_surface_show_glyphs (void		
     SetBkMode(dst->dc, TRANSPARENT);
 
     if (num_glyphs > STACK_GLYPH_SIZE) {
-	glyph_buf = (WORD *)malloc(num_glyphs * sizeof(WORD));
-	dx_buf = (int *)malloc(num_glyphs * sizeof(int));
+	glyph_buf = (WORD *)_cairo_malloc_ab(num_glyphs, sizeof(WORD));
+	dx_buf = (int *)_cairo_malloc_ab(num_glyphs, sizeof(int));
     }
 
     for (i = 0; i < num_glyphs; ++i) {
diff -up cairo-1.2.4/src/cairo-scaled-font.c.alloc-overflow cairo-1.2.4/src/cairo-scaled-font.c
--- cairo-1.2.4/src/cairo-scaled-font.c.alloc-overflow	2006-08-18 10:20:16.000000000 -0400
+++ cairo-1.2.4/src/cairo-scaled-font.c	2007-11-28 11:18:25.000000000 -0500
@@ -779,7 +779,7 @@ _cairo_scaled_font_text_to_glyphs (cairo
     if (status)
 	return status;
 
-    *glyphs = (cairo_glyph_t *) malloc ((*num_glyphs) * (sizeof (cairo_glyph_t)));
+    *glyphs = (cairo_glyph_t *) _cairo_malloc_ab ((*num_glyphs), sizeof (cairo_glyph_t));
 
     if (*glyphs == NULL) {
 	status = CAIRO_STATUS_NO_MEMORY;
diff -up cairo-1.2.4/src/cairo-ft-font.c.alloc-overflow cairo-1.2.4/src/cairo-ft-font.c
--- cairo-1.2.4/src/cairo-ft-font.c.alloc-overflow	2006-08-18 10:20:16.000000000 -0400
+++ cairo-1.2.4/src/cairo-ft-font.c	2007-11-28 11:18:25.000000000 -0500
@@ -724,7 +724,7 @@ _get_bitmap_surface (FT_Bitmap		     *bi
 	    data = bitmap->buffer;
 	    assert (stride == bitmap->pitch);
 	} else {
-	    data = malloc (stride * height);
+ 	    data = _cairo_malloc_ab (height, stride);
 	    if (!data)
 		return CAIRO_STATUS_NO_MEMORY;
 
@@ -772,7 +772,7 @@ _get_bitmap_surface (FT_Bitmap		     *bi
 	    if (own_buffer) {
 		data = bitmap->buffer;
 	    } else {
-		data = malloc (stride * height);
+ 		data = _cairo_malloc_ab (height, stride);
 		if (!data)
 		    return CAIRO_STATUS_NO_MEMORY;
 		memcpy (data, bitmap->buffer, stride * height);
diff -up cairo-1.2.4/src/cairo-malloc-private.h.alloc-overflow cairo-1.2.4/src/cairo-malloc-private.h
--- cairo-1.2.4/src/cairo-malloc-private.h.alloc-overflow	2007-11-28 11:20:37.000000000 -0500
+++ cairo-1.2.4/src/cairo-malloc-private.h	2007-11-28 11:20:22.000000000 -0500
@@ -0,0 +1,141 @@
+/* -*- Mode: c; tab-width: 8; c-basic-offset: 4; indent-tabs-mode: t; -*- */
+/* Cairo - a vector graphics library with display and print output
+ *
+ * Copyright © 2007 Mozilla Corporation
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it either under the terms of the GNU Lesser General Public
+ * License version 2.1 as published by the Free Software Foundation
+ * (the "LGPL") or, at your option, under the terms of the Mozilla
+ * Public License Version 1.1 (the "MPL"). If you do not alter this
+ * notice, a recipient may use your version of this file under either
+ * the MPL or the LGPL.
+ *
+ * You should have received a copy of the LGPL along with this library
+ * in the file COPYING-LGPL-2.1; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the MPL along with this library
+ * in the file COPYING-MPL-1.1
+ *
+ * The contents of this file are subject to the Mozilla Public License
+ * Version 1.1 (the "License"); you may not use this file except in
+ * compliance with the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY
+ * OF ANY KIND, either express or implied. See the LGPL or the MPL for
+ * the specific language governing rights and limitations.
+ *
+ * The Original Code is the cairo graphics library.
+ *
+ * The Initial Developer of the Original Code is Mozilla Corporation
+ *
+ * Contributor(s):
+ *	Vladimir Vukicevic <vladimir@pobox.com>
+ */
+
+#ifndef CAIRO_MALLOC_PRIVATE_H
+#define CAIRO_MALLOC_PRIVATE_H
+
+#include "cairo-wideint-private.h"
+
+/**
+ * _cairo_malloc:
+ * @size: size in bytes
+ *
+ * Allocate @size memory using malloc().
+ * The memory should be freed using free().
+ * malloc is skipped, if 0 bytes are requested, and %NULL will be returned.
+ *
+ * Return value: A pointer to the newly allocated memory, or %NULL in
+ * case of malloc() failure or size is 0.
+ */
+
+#define _cairo_malloc(size) \
+   ((size) ? malloc((unsigned) (size)) : NULL)
+
+/**
+ * _cairo_malloc_ab:
+ * @n: number of elements to allocate
+ * @size: size of each element
+ *
+ * Allocates @n*@size memory using _cairo_malloc(), taking care to not
+ * overflow when doing the multiplication.  Behaves much like
+ * calloc(), except that the returned memory is not set to zero.
+ * The memory should be freed using free().
+ *
+ * @size should be a constant so that the compiler can optimize
+ * out a constant division.
+ *
+ * Return value: A pointer to the newly allocated memory, or %NULL in
+ * case of malloc() failure or overflow.
+ */
+
+#define _cairo_malloc_ab(a, size) \
+  ((size) && (unsigned) (a) >= INT32_MAX / (unsigned) (size) ? NULL : \
+   _cairo_malloc((unsigned) (a) * (unsigned) (size)))
+
+/**
+ * _cairo_realloc_ab:
+ * @ptr: original pointer to block of memory to be resized
+ * @n: number of elements to allocate
+ * @size: size of each element
+ *
+ * Reallocates @ptr a block of @n*@size memory using realloc(), taking
+ * care to not overflow when doing the multiplication.  The memory
+ * should be freed using free().
+ *
+ * @size should be a constant so that the compiler can optimize
+ * out a constant division.
+ *
+ * Return value: A pointer to the newly allocated memory, or %NULL in
+ * case of realloc() failure or overflow (whereupon the original block
+ * of memory * is left untouched).
+ */
+
+#define _cairo_realloc_ab(ptr, a, size) \
+  ((size) && (unsigned) (a) >= INT32_MAX / (unsigned) (size) ? NULL : \
+   realloc(ptr, (unsigned) (a) * (unsigned) (size)))
+
+/**
+ * _cairo_malloc_abc:
+ * @n: first factor of number of elements to allocate
+ * @b: second factor of number of elements to allocate
+ * @size: size of each element
+ *
+ * Allocates @n*@b*@size memory using _cairo_malloc(), taking care to not
+ * overflow when doing the multiplication.  Behaves like
+ * _cairo_malloc_ab().  The memory should be freed using free().
+ *
+ * @size should be a constant so that the compiler can optimize
+ * out a constant division.
+ *
+ * Return value: A pointer to the newly allocated memory, or %NULL in
+ * case of malloc() failure or overflow.
+ */
+
+#define _cairo_malloc_abc(a, b, size) \
+  ((b) && (unsigned) (a) >= INT32_MAX / (unsigned) (b) ? NULL : \
+   (size) && (unsigned) ((a)*(b)) >= INT32_MAX / (unsigned) (size) ? NULL : \
+   _cairo_malloc((unsigned) (a) * (unsigned) (b) * (unsigned) (size)))
+
+/**
+ * _cairo_malloc_ab_plus_c:
+ * @n: number of elements to allocate
+ * @size: size of each element
+ * @k: additional size to allocate
+ *
+ * Allocates @n*@ksize+@k memory using _cairo_malloc(), taking care to not
+ * overflow when doing the arithmetic.  Behaves like
+ * _cairo_malloc_ab().  The memory should be freed using free().
+ *
+ * Return value: A pointer to the newly allocated memory, or %NULL in
+ * case of malloc() failure or overflow.
+ */
+
+#define _cairo_malloc_ab_plus_c(n, size, k) \
+  ((size) && (unsigned) (n) >= INT32_MAX / (unsigned) (size) ? NULL : \
+   (unsigned) (k) >= INT32_MAX - (unsigned) (n) * (unsigned) (size) ? NULL : \
+   _cairo_malloc((unsigned) (n) * (unsigned) (size) + (unsigned) (k)))
+
+#endif /* CAIRO_MALLOC_PRIVATE_H */
diff -up cairo-1.2.4/src/cairo-surface.c.alloc-overflow cairo-1.2.4/src/cairo-surface.c
--- cairo-1.2.4/src/cairo-surface.c.alloc-overflow	2006-08-18 10:20:16.000000000 -0400
+++ cairo-1.2.4/src/cairo-surface.c	2007-11-28 11:18:25.000000000 -0500
@@ -1180,7 +1180,7 @@ _cairo_surface_fill_region (cairo_surfac
     if (!num_rects)
 	return CAIRO_STATUS_SUCCESS;
 
-    rects = malloc (sizeof (pixman_rectangle_t) * num_rects);
+    rects = _cairo_malloc_ab (num_rects, sizeof (pixman_rectangle_t));
     if (!rects)
 	return CAIRO_STATUS_NO_MEMORY;
 
diff -up cairo-1.2.4/src/cairo-xlib-surface.c.alloc-overflow cairo-1.2.4/src/cairo-xlib-surface.c
--- cairo-1.2.4/src/cairo-xlib-surface.c.alloc-overflow	2007-11-28 11:18:25.000000000 -0500
+++ cairo-1.2.4/src/cairo-xlib-surface.c	2007-11-28 11:18:25.000000000 -0500
@@ -1498,7 +1498,7 @@ _create_trapezoid_mask (cairo_xlib_surfa
     mask_picture = _create_a8_picture (dst, &transparent, width, height, FALSE);
     solid_picture = _create_a8_picture (dst, &solid, width, height, TRUE);
 
-    offset_traps = malloc (sizeof (XTrapezoid) * num_traps);
+    offset_traps = _cairo_malloc_ab (num_traps, sizeof (XTrapezoid));
     if (!offset_traps)
 	return None;
 
@@ -1684,7 +1684,7 @@ _cairo_xlib_surface_set_clip_region (voi
 
 	n_boxes = pixman_region_num_rects (region);
 	if (n_boxes > 0) {
-	    rects = malloc (sizeof(XRectangle) * n_boxes);
+	    rects = _cairo_malloc_ab (n_boxes, sizeof(XRectangle));
 	    if (rects == NULL)
 		return CAIRO_STATUS_NO_MEMORY;
 	} else {
@@ -2514,7 +2514,7 @@ _cairo_xlib_surface_show_glyphs8  (cairo
 	elts = stack_elts;
 	chars = stack_chars;
     } else {
-	elts = malloc (num_glyphs * sizeof (XGlyphElt8) +
+	elts = _cairo_malloc_ab_plus_c (num_glyphs, sizeof (XGlyphElt8),
 		       num_glyphs * sizeof (unsigned char));
 	if (elts == NULL)
 	    return CAIRO_STATUS_NO_MEMORY;
@@ -2575,7 +2575,7 @@ _cairo_xlib_surface_show_glyphs16 (cairo
 	elts = stack_elts;
 	chars = stack_chars;
     } else {
-	elts = malloc (num_glyphs * sizeof (XGlyphElt16) +
+	elts = _cairo_malloc_ab_plus_c (num_glyphs, sizeof (XGlyphElt16),
 		       num_glyphs * sizeof (unsigned short));
 	if (elts == NULL)
 	    return CAIRO_STATUS_NO_MEMORY;
@@ -2636,7 +2636,7 @@ _cairo_xlib_surface_show_glyphs32 (cairo
 	elts = stack_elts;
 	chars = stack_chars;
     } else {
-	elts = malloc (num_glyphs * sizeof (XGlyphElt32) +
+	elts = _cairo_malloc_ab_plus_c (num_glyphs, sizeof (XGlyphElt32),
 		       num_glyphs * sizeof (unsigned int));
 	if (elts == NULL)
 	    return CAIRO_STATUS_NO_MEMORY;
@@ -2744,7 +2744,7 @@ _cairo_xlib_surface_show_glyphs (void   
     /* We make a copy of the glyphs so that we can elide any size-zero
      * glyphs to workaround an X server bug, (present in at least Xorg
      * 7.1 without EXA). */
-    output_glyphs = malloc (num_glyphs * sizeof (cairo_glyph_t));
+    output_glyphs = _cairo_malloc_ab (num_glyphs, sizeof (cairo_glyph_t));
     if (output_glyphs == NULL)
 	return CAIRO_STATUS_NO_MEMORY;
 
diff -up cairo-1.2.4/src/cairo-win32-font.c.alloc-overflow cairo-1.2.4/src/cairo-win32-font.c
--- cairo-1.2.4/src/cairo-win32-font.c.alloc-overflow	2006-08-18 10:20:16.000000000 -0400
+++ cairo-1.2.4/src/cairo-win32-font.c	2007-11-28 11:18:25.000000000 -0500
@@ -610,8 +610,8 @@ _cairo_win32_scaled_font_text_to_glyphs 
 	    dx = NULL;
 	}
 
-	glyph_indices = malloc (sizeof (WCHAR) * buffer_size);
-	dx = malloc (sizeof (int) * buffer_size);
+	glyph_indices = _cairo_malloc_ab (buffer_size, sizeof (WCHAR));
+	dx = _cairo_malloc_ab (buffer_size, sizeof (int));
 	if (!glyph_indices || !dx) {
 	    status = CAIRO_STATUS_NO_MEMORY;
 	    goto FAIL2;
@@ -642,7 +642,7 @@ _cairo_win32_scaled_font_text_to_glyphs 
     }
 
     *num_glyphs = gcp_results.nGlyphs;
-    *glyphs = malloc (sizeof (cairo_glyph_t) * gcp_results.nGlyphs);
+    *glyphs = _cairo_malloc_ab (gcp_results.nGlyphs, sizeof (cairo_glyph_t));
     if (!*glyphs) {
 	status = CAIRO_STATUS_NO_MEMORY;
 	goto FAIL2;
diff -up cairo-1.2.4/src/cairo-ps-surface.c.alloc-overflow cairo-1.2.4/src/cairo-ps-surface.c
--- cairo-1.2.4/src/cairo-ps-surface.c.alloc-overflow	2006-08-18 19:11:26.000000000 -0400
+++ cairo-1.2.4/src/cairo-ps-surface.c	2007-11-28 11:18:25.000000000 -0500
@@ -1918,7 +1918,7 @@ _cairo_ps_surface_stroke (void			*abstra
 	 * can modify some of the values.
 	 */
 	if (num_dashes % 2) {
-	    dash = malloc (2 * num_dashes * sizeof (double));
+	    dash = _cairo_malloc_abc (num_dashes, 2, sizeof (double));
 	    if (dash == NULL)
 		return CAIRO_STATUS_NO_MEMORY;
 
diff -up cairo-1.2.4/src/cairo-png.c.alloc-overflow cairo-1.2.4/src/cairo-png.c
--- cairo-1.2.4/src/cairo-png.c.alloc-overflow	2006-08-18 10:20:16.000000000 -0400
+++ cairo-1.2.4/src/cairo-png.c	2007-11-28 11:18:25.000000000 -0500
@@ -108,7 +108,7 @@ write_png (cairo_surface_t	*surface,
     else if (status != CAIRO_STATUS_SUCCESS)
 	return CAIRO_STATUS_SURFACE_TYPE_MISMATCH;
 
-    rows = malloc (image->height * sizeof(png_byte*));
+    rows = _cairo_malloc_ab (image->height, sizeof(png_byte*));
     if (rows == NULL) {
         status = CAIRO_STATUS_NO_MEMORY;
 	goto BAIL1;
@@ -398,11 +398,11 @@ read_png (png_rw_ptr	read_func,
     png_read_update_info (png, info);
 
     pixel_size = 4;
-    data = malloc (png_width * png_height * pixel_size);
+    data = _cairo_malloc_abc (png_height, png_width, pixel_size);
     if (data == NULL)
 	goto BAIL;
 
-    row_pointers = malloc (png_height * sizeof(char *));
+    row_pointers = _cairo_malloc_ab (png_height, sizeof(char *));
     if (row_pointers == NULL)
 	goto BAIL;
 
diff -up cairo-1.2.4/src/cairo-spline.c.alloc-overflow cairo-1.2.4/src/cairo-spline.c
--- cairo-1.2.4/src/cairo-spline.c.alloc-overflow	2006-08-10 16:14:46.000000000 -0400
+++ cairo-1.2.4/src/cairo-spline.c	2007-11-28 11:18:25.000000000 -0500
@@ -107,7 +107,7 @@ _cairo_spline_grow_by (cairo_spline_t *s
 	return CAIRO_STATUS_SUCCESS;
 
     spline->points_size = new_size;
-    new_points = realloc (spline->points, spline->points_size * sizeof (cairo_point_t));
+    new_points = _cairo_realloc_ab (spline->points, spline->points_size, sizeof (cairo_point_t));
 
     if (new_points == NULL) {
 	spline->points_size = old_size;
diff -up cairo-1.2.4/src/cairo-surface-fallback.c.alloc-overflow cairo-1.2.4/src/cairo-surface-fallback.c
--- cairo-1.2.4/src/cairo-surface-fallback.c.alloc-overflow	2006-08-10 16:14:46.000000000 -0400
+++ cairo-1.2.4/src/cairo-surface-fallback.c	2007-11-28 11:18:25.000000000 -0500
@@ -1086,7 +1086,7 @@ _cairo_surface_fallback_fill_rectangles 
     /* If the fetched image isn't at 0,0, we need to offset the rectangles */
 
     if (state.image_rect.x != 0 || state.image_rect.y != 0) {
-	offset_rects = malloc (sizeof (cairo_rectangle_int16_t) * num_rects);
+      offset_rects = _cairo_malloc_ab (num_rects, sizeof (cairo_rectangle_int16_t));
 	if (offset_rects == NULL) {
 	    status = CAIRO_STATUS_NO_MEMORY;
 	    goto DONE;
@@ -1142,7 +1142,7 @@ _cairo_surface_fallback_composite_trapez
     /* If the destination image isn't at 0,0, we need to offset the trapezoids */
 
     if (state.image_rect.x != 0 || state.image_rect.y != 0) {
-	offset_traps = malloc (sizeof (cairo_trapezoid_t) * num_traps);
+	offset_traps = _cairo_malloc_ab (num_traps, sizeof (cairo_trapezoid_t));
 	if (!offset_traps) {
 	    status = CAIRO_STATUS_NO_MEMORY;
 	    goto DONE;
diff -up cairo-1.2.4/src/cairo-gstate.c.alloc-overflow cairo-1.2.4/src/cairo-gstate.c
--- cairo-1.2.4/src/cairo-gstate.c.alloc-overflow	2006-08-18 10:20:16.000000000 -0400
+++ cairo-1.2.4/src/cairo-gstate.c	2007-11-28 11:18:25.000000000 -0500
@@ -508,7 +508,7 @@ _cairo_gstate_set_dash (cairo_gstate_t *
 	return CAIRO_STATUS_SUCCESS;
     }
 
-    gstate->stroke_style.dash = malloc (gstate->stroke_style.num_dashes * sizeof (double));
+    gstate->stroke_style.dash = _cairo_malloc_ab (gstate->stroke_style.num_dashes, sizeof (double));
     if (gstate->stroke_style.dash == NULL) {
 	gstate->stroke_style.num_dashes = 0;
 	return CAIRO_STATUS_NO_MEMORY;
@@ -1430,7 +1430,7 @@ _cairo_gstate_show_glyphs (cairo_gstate_
     if (status)
 	return status;
 
-    transformed_glyphs = malloc (num_glyphs * sizeof(cairo_glyph_t));
+    transformed_glyphs = _cairo_malloc_ab (num_glyphs, sizeof(cairo_glyph_t));
     if (transformed_glyphs == NULL)
 	return CAIRO_STATUS_NO_MEMORY;
 
@@ -1473,7 +1473,7 @@ _cairo_gstate_glyph_path (cairo_gstate_t
     if (status)
 	return status;
 
-    transformed_glyphs = malloc (num_glyphs * sizeof(cairo_glyph_t));
+    transformed_glyphs = _cairo_malloc_ab (num_glyphs, sizeof(cairo_glyph_t));
     if (transformed_glyphs == NULL)
 	return CAIRO_STATUS_NO_MEMORY;
 
diff -up cairo-1.2.4/src/cairo-traps.c.alloc-overflow cairo-1.2.4/src/cairo-traps.c
--- cairo-1.2.4/src/cairo-traps.c.alloc-overflow	2006-08-10 16:14:46.000000000 -0400
+++ cairo-1.2.4/src/cairo-traps.c	2007-11-28 11:18:25.000000000 -0500
@@ -205,7 +205,7 @@ _cairo_traps_grow_by (cairo_traps_t *tra
     }
 
     traps->traps_size = new_size;
-    new_traps = realloc (traps->traps, traps->traps_size * sizeof (cairo_trapezoid_t));
+    new_traps = _cairo_realloc_ab (traps->traps, traps->traps_size, sizeof (cairo_trapezoid_t));
 
     if (new_traps == NULL) {
 	traps->traps_size = old_size;
diff -up cairo-1.2.4/src/cairo-meta-surface.c.alloc-overflow cairo-1.2.4/src/cairo-meta-surface.c
--- cairo-1.2.4/src/cairo-meta-surface.c.alloc-overflow	2006-08-18 10:20:16.000000000 -0400
+++ cairo-1.2.4/src/cairo-meta-surface.c	2007-11-28 11:18:25.000000000 -0500
@@ -435,7 +435,7 @@ _cairo_meta_surface_show_glyphs (void			
     if (status)
 	goto CLEANUP_COMMAND;
 
-    command->glyphs = malloc (sizeof (cairo_glyph_t) * num_glyphs);
+    command->glyphs = _cairo_malloc_ab (num_glyphs, sizeof (cairo_glyph_t));
     if (command->glyphs == NULL) {
 	status = CAIRO_STATUS_NO_MEMORY;
 	goto CLEANUP_SOURCE;
@@ -726,7 +726,7 @@ _cairo_meta_surface_replay (cairo_surfac
 	    int i, num_glyphs = command->show_glyphs.num_glyphs;
 
 	    if (has_device_transform) {
-		dev_glyphs = malloc (sizeof (cairo_glyph_t) * num_glyphs);
+		dev_glyphs = _cairo_malloc_ab (num_glyphs, sizeof (cairo_glyph_t));
 		if (dev_glyphs == NULL) {
 		    status = CAIRO_STATUS_NO_MEMORY;
 		    break;
diff -up cairo-1.2.4/src/cairo-xcb-surface.c.alloc-overflow cairo-1.2.4/src/cairo-xcb-surface.c
--- cairo-1.2.4/src/cairo-xcb-surface.c.alloc-overflow	2006-08-18 10:20:16.000000000 -0400
+++ cairo-1.2.4/src/cairo-xcb-surface.c	2007-11-28 11:18:25.000000000 -0500
@@ -379,7 +379,7 @@ _get_image_surface (cairo_xcb_surface_t 
     bpp = _bits_per_pixel(surface->dpy, imagerep->depth);
     bytes_per_line = _bytes_per_line(surface->dpy, surface->width, bpp);
 
-    data = malloc (bytes_per_line * surface->height);
+    data = _cairo_malloc_ab (surface->height, bytes_per_line);
     if (data == NULL) {
 	free (imagerep);
 	return CAIRO_STATUS_NO_MEMORY;
@@ -999,7 +999,7 @@ _cairo_xcb_surface_set_clip_region (void
 
 	n_boxes = pixman_region_num_rects (region);
 	if (n_boxes > 0) {
-	    rects = malloc (sizeof(XCBRECTANGLE) * n_boxes);
+	    rects = _cairo_malloc_ab (n_boxes, sizeof(xcb_rectangle_t));
 	    if (rects == NULL)
 		return CAIRO_STATUS_NO_MEMORY;
 	} else {
diff -up cairo-1.2.4/src/cairo-glitz-surface.c.alloc-overflow cairo-1.2.4/src/cairo-glitz-surface.c
--- cairo-1.2.4/src/cairo-glitz-surface.c.alloc-overflow	2006-08-10 16:14:46.000000000 -0400
+++ cairo-1.2.4/src/cairo-glitz-surface.c	2007-11-28 11:18:25.000000000 -0500
@@ -196,7 +196,7 @@ _cairo_glitz_surface_get_image (cairo_gl
     pf.bytes_per_line = (((width * format.bpp) / 8) + 3) & -4;
     pf.scanline_order = GLITZ_PIXEL_SCANLINE_ORDER_TOP_DOWN;
 
-    pixels = malloc (height * pf.bytes_per_line);
+    pixels = _cairo_malloc_ab (height, pf.bytes_per_line);
     if (!pixels)
 	return CAIRO_STATUS_NO_MEMORY;
 
@@ -593,8 +593,22 @@ _cairo_glitz_pattern_acquire_surface (ca
 
 	n_params = gradient->n_stops * 3 + n_base_params;
 
-	data = malloc (sizeof (glitz_fixed16_16_t) * n_params +
-		       sizeof (unsigned int) * gradient->n_stops);
+        /* check for int overflow */
+        {
+            int size1, size2;
+            if (n_params >= INT32_MAX / sizeof (glitz_fixed16_16_t) ||
+                gradient->n_stops >= INT32_MAX / sizeof (unsigned int))
+                return CAIRO_STATUS_NO_MEMORY;
+
+            size1 = n_params * sizeof (glitz_fixed16_16_t);
+            size2 = gradient->n_stops * sizeof (unsigned int);
+
+            if (size1 >= INT32_MAX - size2)
+                return CAIRO_STATUS_NO_MEMORY;
+
+            data = malloc (size1 + size2);
+        }
+
 	if (!data)
 	    return CAIRO_STATUS_NO_MEMORY;
 
@@ -1922,9 +1936,19 @@ _cairo_glitz_surface_old_show_glyphs (ca
     if (num_glyphs > N_STACK_BUF)
     {
 	char *data;
+        int size1, size2;
+
+        if (num_glyphs >= INT32_MAX / sizeof(void*) ||
+            num_glyphs >= INT32_MAX / sizeof(glitz_float_t) ||
+            (num_glyphs * sizeof(glitz_float_t)) >= INT32_MAX / 16)
+            goto FAIL1;
+
+        size1 = num_glyphs * sizeof(void *);
+        size2 = num_glyphs * sizeof(glitz_float_t) * 16;
+        if (size1 >= INT32_MAX - size2)
+            goto FAIL1;
 
-	data = malloc (num_glyphs * sizeof (void *) +
-		       num_glyphs * sizeof (glitz_float_t) * 16);
+	data = malloc (size1 + size2);
 	if (!data)
 	    goto FAIL1;
 
diff -up cairo-1.2.4/src/cairo-atsui-font.c.alloc-overflow cairo-1.2.4/src/cairo-atsui-font.c
--- cairo-1.2.4/src/cairo-atsui-font.c.alloc-overflow	2006-08-18 10:20:16.000000000 -0400
+++ cairo-1.2.4/src/cairo-atsui-font.c	2007-11-28 11:18:25.000000000 -0500
@@ -532,7 +532,7 @@ _cairo_atsui_font_text_to_glyphs (void		
 
     *num_glyphs = glyphCount - 1;
     *glyphs =
-	(cairo_glyph_t *) malloc(*num_glyphs * (sizeof (cairo_glyph_t)));
+	(cairo_glyph_t *) _cairo_malloc_ab(*num_glyphs, sizeof (cairo_glyph_t));
     if (*glyphs == NULL) {
 	return CAIRO_STATUS_NO_MEMORY;
     }
@@ -651,7 +651,7 @@ _cairo_atsui_font_old_show_glyphs (void	
 	     * the cleanup needed in this function?
 	     */
 	    if (num_boxes > 10)
-		rects = malloc (sizeof (CGRect) * num_boxes);
+		rects = _cairo_malloc_ab (num_boxes, sizeof (CGRect));
 	    else
 		rects = stack_rects;
 
diff -up cairo-1.2.4/src/cairo-polygon.c.alloc-overflow cairo-1.2.4/src/cairo-polygon.c
--- cairo-1.2.4/src/cairo-polygon.c.alloc-overflow	2006-08-10 16:14:46.000000000 -0400
+++ cairo-1.2.4/src/cairo-polygon.c	2007-11-28 11:18:25.000000000 -0500
@@ -78,7 +78,7 @@ _cairo_polygon_grow_by (cairo_polygon_t 
     }
 
     polygon->edges_size = new_size;
-    new_edges = realloc (polygon->edges, polygon->edges_size * sizeof (cairo_edge_t));
+    new_edges = _cairo_realloc_ab (polygon->edges, polygon->edges_size, sizeof (cairo_edge_t));
 
     if (new_edges == NULL) {
 	polygon->edges_size = old_size;
diff -up cairo-1.2.4/src/cairoint.h.alloc-overflow cairo-1.2.4/src/cairoint.h
--- cairo-1.2.4/src/cairoint.h.alloc-overflow	2006-08-18 10:20:16.000000000 -0400
+++ cairo-1.2.4/src/cairoint.h	2007-11-28 11:18:25.000000000 -0500
@@ -197,6 +197,7 @@ do {					\
 #define CAIRO_REF_COUNT_INVALID ((unsigned int) -1)
 
 #include "cairo-wideint-private.h"
+#include "cairo-malloc-private.h"
 
 typedef int32_t		cairo_fixed_16_16_t;
 typedef cairo_int64_t	cairo_fixed_32_32_t;
diff -up cairo-1.2.4/src/cairo-pen.c.alloc-overflow cairo-1.2.4/src/cairo-pen.c
--- cairo-1.2.4/src/cairo-pen.c.alloc-overflow	2006-08-10 16:14:46.000000000 -0400
+++ cairo-1.2.4/src/cairo-pen.c	2007-11-28 11:18:25.000000000 -0500
@@ -80,7 +80,7 @@ _cairo_pen_init (cairo_pen_t	*pen,
 						    radius,
 						    ctm);
 
-    pen->vertices = malloc (pen->num_vertices * sizeof (cairo_pen_vertex_t));
+    pen->vertices = _cairo_malloc_ab (pen->num_vertices, sizeof (cairo_pen_vertex_t));
     if (pen->vertices == NULL) {
 	return CAIRO_STATUS_NO_MEMORY;
     }
@@ -121,7 +121,7 @@ _cairo_pen_init_copy (cairo_pen_t *pen, 
     *pen = *other;
 
     if (pen->num_vertices) {
-	pen->vertices = malloc (pen->num_vertices * sizeof (cairo_pen_vertex_t));
+	pen->vertices = _cairo_malloc_ab (pen->num_vertices, sizeof (cairo_pen_vertex_t));
 	if (pen->vertices == NULL) {
 	    return CAIRO_STATUS_NO_MEMORY;
 	}
@@ -139,7 +139,7 @@ _cairo_pen_add_points (cairo_pen_t *pen,
     int i;
 
     num_vertices = pen->num_vertices + num_points;
-    vertices = realloc (pen->vertices, num_vertices * sizeof (cairo_pen_vertex_t));
+    vertices = _cairo_realloc_ab (pen->vertices, num_vertices, sizeof (cairo_pen_vertex_t));
     if (vertices == NULL)
 	return CAIRO_STATUS_NO_MEMORY;
 
diff -up cairo-1.2.4/src/cairo-scaled-font-subsets.c.alloc-overflow cairo-1.2.4/src/cairo-scaled-font-subsets.c
--- cairo-1.2.4/src/cairo-scaled-font-subsets.c.alloc-overflow	2006-08-18 10:20:16.000000000 -0400
+++ cairo-1.2.4/src/cairo-scaled-font-subsets.c	2007-11-28 11:18:25.000000000 -0500
@@ -368,7 +368,7 @@ _cairo_scaled_font_subsets_foreach (cair
     cairo_sub_font_collection_t collection;
 
     collection.glyphs_size = font_subsets->max_glyphs_per_subset_used;
-    collection.glyphs = malloc (collection.glyphs_size * sizeof(unsigned long));
+    collection.glyphs = _cairo_malloc_ab (collection.glyphs_size, sizeof(unsigned long));
     if (collection.glyphs == NULL)
 	return CAIRO_STATUS_NO_MEMORY;
 
diff -up cairo-1.2.4/pixman/src/pixregion.c.alloc-overflow cairo-1.2.4/pixman/src/pixregion.c
--- cairo-1.2.4/pixman/src/pixregion.c.alloc-overflow	2006-08-18 10:20:16.000000000 -0400
+++ cairo-1.2.4/pixman/src/pixregion.c	2007-11-28 11:18:25.000000000 -0500
@@ -49,6 +49,7 @@ SOFTWARE.
 #include <limits.h>
 #include <string.h>
 
+#include "icint.h"
 #include "pixregionint.h"
 #include "slim_internal.h"
 
@@ -162,7 +163,31 @@ slim_hidden_proto(pixman_region_union)
         ((r1)->y1 <= (r2)->y1) && \
         ((r1)->y2 >= (r2)->y2) )
 
-#define allocData(n) malloc(PIXREGION_SZOF(n))
+static size_t
+PIXREGION_SZOF(size_t n)
+{
+    size_t size = n * sizeof(pixman_box16_t);
+    if (n > UINT32_MAX / sizeof(pixman_box16_t))
+	return 0;
+
+    if (sizeof(pixman_region16_data_t) > UINT32_MAX - size)
+	return 0;
+
+    return size + sizeof(pixman_region16_data_t);
+}
+
+static void
+allocData(size_t n, void **data)
+{
+    size_t sz = PIXREGION_SZOF(n);
+    if (!sz) {
+	*data = NULL;
+	return;
+    }
+
+    *data = malloc(sz);
+}
+
 #define freeData(reg) if ((reg)->data && (reg)->data->size) free((reg)->data)
 
 #define RECTALLOC_BAIL(pReg,n,bail) \
@@ -199,7 +224,10 @@ if (!(pReg)->data || (((pReg)->data->num
 if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \
 {									 \
     pixman_region16_data_t * NewData;							 \
-    NewData = (pixman_region16_data_t *)realloc((reg)->data, PIXREGION_SZOF(numRects));	 \
+    size_t data_size = PIXREGION_SZOF(numRects);			 \
+    if (!data_size)							 \
+      goto bail;							 \
+    NewData = (pixman_region16_data_t *)realloc((reg)->data, data_size); \
     if (NewData)							 \
     {									 \
 	NewData->size = (numRects);					 \
@@ -390,11 +418,12 @@ static pixman_region_status_t
 pixman_rect_alloc(pixman_region16_t * region, int n)
 {
     pixman_region16_data_t *data;
+    size_t data_size;
 
     if (!region->data)
     {
 	n++;
-	region->data = allocData(n);
+	allocData(n, (void **) &region->data);
 	if (!region->data)
 	    return pixman_break (region);
 	region->data->numRects = 1;
@@ -402,7 +431,7 @@ pixman_rect_alloc(pixman_region16_t * re
     }
     else if (!region->data->size)
     {
-	region->data = allocData(n);
+      allocData(n, (void **) &region->data);
 	if (!region->data)
 	    return pixman_break (region);
 	region->data->numRects = 0;
@@ -416,7 +445,10 @@ pixman_rect_alloc(pixman_region16_t * re
 		n = 250;
 	}
 	n += region->data->numRects;
-	data = (pixman_region16_data_t *)realloc(region->data, PIXREGION_SZOF(n));
+	data_size = PIXREGION_SZOF(n);
+	if (!data_size)
+	    return pixman_break (region);
+	data = (pixman_region16_data_t *)realloc(region->data, data_size);
 	if (!data)
 	    return pixman_break (region);
 	region->data = data;
@@ -442,7 +474,7 @@ pixman_region_copy(pixman_region16_t *ds
     if (!dst->data || (dst->data->size < src->data->numRects))
     {
 	freeData(dst);
-	dst->data = allocData(src->data->numRects);
+	allocData(src->data->numRects, (void **) &dst->data);
 	if (!dst->data)
 	    return pixman_break (dst);
 	dst->data->size = src->data->numRects;
@@ -845,8 +877,10 @@ pixman_op(
 	AppendRegions(newReg, r2BandEnd, r2End);
     }
 
-    if (oldData)
+    if (oldData) {
 	free(oldData);
+	oldData = NULL;
+    }
 
     if (!(numRects = newReg->data->numRects))
     {
@@ -864,6 +898,7 @@ pixman_op(
 	DOWNSIZE(newReg, numRects);
     }
 
+bail:
     return PIXMAN_REGION_STATUS_SUCCESS;
 }
 
@@ -1499,7 +1534,7 @@ pixman_region_validate(pixman_region16_t
 
     /* Set up the first region to be the first rectangle in badreg */
     /* Note that step 2 code will never overflow the ri[0].reg rects array */
-    ri = (RegionInfo *) malloc(4 * sizeof(RegionInfo));
+    ri = (RegionInfo *) _pixman_malloc_ab(4, sizeof(RegionInfo));
     if (!ri)
 	return pixman_break (badreg);
     sizeRI = 4;
@@ -1561,9 +1596,13 @@ pixman_region_validate(pixman_region16_t
 	/* Uh-oh.  No regions were appropriate.  Create a new one. */
 	if (sizeRI == numRI)
 	{
+	    size_t data_size;
 	    /* Oops, allocate space for new region information */
 	    sizeRI <<= 1;
-	    rit = (RegionInfo *) realloc(ri, sizeRI * sizeof(RegionInfo));
+	    data_size = sizeRI * sizeof(RegionInfo);
+	    if (data_size / sizeRI != sizeof(RegionInfo))
+		goto bail;
+	    rit = (RegionInfo *) realloc(ri, data_size);
 	    if (!rit)
 		goto bail;
 	    ri = rit;
@@ -1665,7 +1704,7 @@ pixman_region_rectsToRegion(nrects, prec
 	}
 	return region;
     }
-    pData = allocData(nrects);
+    allocData(nrects, &pData);
     if (!pData)
     {
 	pixman_break (region);
@@ -2173,7 +2212,7 @@ pixman_region16_data_copy(pixman_region1
     if (!dst->data || (dst->data->size < src->data->numRects))
     {
 	freeData(dst);
-	dst->data = allocData(src->data->numRects);
+	allocData(src->data->numRects, &dst->data);
 	if (!dst->data)
 	    return pixman_break (dst);
     }
diff -up cairo-1.2.4/pixman/src/icint.h.alloc-overflow cairo-1.2.4/pixman/src/icint.h
--- cairo-1.2.4/pixman/src/icint.h.alloc-overflow	2006-08-10 16:14:45.000000000 -0400
+++ cairo-1.2.4/pixman/src/icint.h	2007-11-28 11:18:25.000000000 -0500
@@ -1099,4 +1099,20 @@ typedef	xFixed_16_16	xFixed;
 		       (*((a)+2) = (CARD8) ((v) >> 16))))
 #endif
 
+/* Allocation helpers */
+
+#define _pixman_malloc_ab(n, size) \
+  ((unsigned) (n) >= INT32_MAX / (unsigned) (size) ? NULL : \
+   malloc((unsigned) (n) * (unsigned) (size)))
+
+#define _pixman_malloc_abc(a, b, size) \
+  ((unsigned) (a) >= INT32_MAX / (unsigned) (b) ? NULL : \
+   (unsigned) ((a)*(b)) >= INT32_MAX / (unsigned) (size) ? NULL : \
+   malloc((unsigned) (a) * (unsigned) (b) * (unsigned) size))
+
+#define _pixman_malloc_ab_plus_c(n, size, k) \
+  ((unsigned) (n) >= INT32_MAX / (unsigned) (size) ? NULL : \
+   (unsigned) (k) >= INT32_MAX - (unsigned) (n) * (unsigned) (size) ? NULL : \
+   malloc((unsigned) (n) * (unsigned) (size) + (unsigned) (k)))
+
 #endif /* _ICINT_H_ */
diff -up cairo-1.2.4/pixman/src/pixregionint.h.alloc-overflow cairo-1.2.4/pixman/src/pixregionint.h
--- cairo-1.2.4/pixman/src/pixregionint.h.alloc-overflow	2006-08-10 16:14:45.000000000 -0400
+++ cairo-1.2.4/pixman/src/pixregionint.h	2007-11-28 11:18:25.000000000 -0500
@@ -75,6 +75,5 @@ typedef struct pixman_region16_point {
 #define PIXREGION_BOX(reg,i) (&PIXREGION_BOXPTR(reg)[i])
 #define PIXREGION_TOP(reg) PIXREGION_BOX(reg, (reg)->data->numRects)
 #define PIXREGION_END(reg) PIXREGION_BOX(reg, (reg)->data->numRects - 1)
-#define PIXREGION_SZOF(n) (sizeof(pixman_region16_data_t) + ((n) * sizeof(pixman_box16_t)))
 
 #endif /* _PIXREGIONINT_H_ */
diff -up cairo-1.2.4/pixman/src/pixman.h.alloc-overflow cairo-1.2.4/pixman/src/pixman.h
--- cairo-1.2.4/pixman/src/pixman.h.alloc-overflow	2006-08-18 10:20:16.000000000 -0400
+++ cairo-1.2.4/pixman/src/pixman.h	2007-11-28 11:18:25.000000000 -0500
@@ -93,6 +93,13 @@ SOFTWARE.
   typedef unsigned __int32 uint32_t;
   typedef __int64 int64_t;
   typedef unsigned __int64 uint64_t;
+
+# ifndef UINT16_MAX
+#  define UINT16_MAX	(65535)
+# endif
+# ifndef UINT32_MAX
+#  define UINT32_MAX	(0xffffffffU)
+# endif
 #else
 #error Cannot find definitions for fixed-width integral types (uint8_t, uint32_t, etc.)
 #endif
diff -up cairo-1.2.4/pixman/src/fbcompose.c.alloc-overflow cairo-1.2.4/pixman/src/fbcompose.c
--- cairo-1.2.4/pixman/src/fbcompose.c.alloc-overflow	2006-08-18 10:20:16.000000000 -0400
+++ cairo-1.2.4/pixman/src/fbcompose.c	2007-11-28 11:18:25.000000000 -0500
@@ -3545,7 +3545,7 @@ static void fbFetchExternalAlpha(Picture
     }
 
     if (width > SCANLINE_BUFFER_LENGTH)
-        alpha_buffer = (CARD32 *) malloc(width*sizeof(CARD32));
+        alpha_buffer = (CARD32 *) _pixman_malloc_ab (width, sizeof(CARD32));
 
     fbFetchTransformed(pict, x, y, width, buffer, mask, maskBits);
     fbFetchTransformed(pict->alphaMap, x - pict->alphaOrigin.x,
@@ -3959,7 +3959,7 @@ pixman_compositeGeneral (pixman_operator
     compose_data.mask = pMask;
     compose_data.dest = pDst;
     if (width > SCANLINE_BUFFER_LENGTH)
-        scanline_buffer = (CARD32 *) malloc(width * 3 * sizeof(CARD32));
+	scanline_buffer = (CARD32 *) _pixman_malloc_abc (width, 3, sizeof(CARD32));
 
     n = pixman_region_num_rects (region);
     pbox = pixman_region_rects (region);
diff -up cairo-1.2.4/pixman/src/icimage.c.alloc-overflow cairo-1.2.4/pixman/src/icimage.c
--- cairo-1.2.4/pixman/src/icimage.c.alloc-overflow	2006-08-18 10:20:16.000000000 -0400
+++ cairo-1.2.4/pixman/src/icimage.c	2007-11-28 11:18:25.000000000 -0500
@@ -212,8 +212,8 @@ pixman_image_create_linear_gradient (con
     if (!image)
 	return NULL;
 
-    linear = malloc (sizeof (pixman_linear_gradient_image_t) +
-		     sizeof (pixman_gradient_stop_t) * n_stops);
+    linear = _pixman_malloc_ab_plus_c (n_stops, sizeof (pixman_gradient_stop_t),
+			       sizeof (pixman_linear_gradient_image_t));
     if (!linear)
     {
 	free (image);
@@ -257,8 +257,8 @@ pixman_image_create_radial_gradient (con
     if (!image)
 	return NULL;
 
-    radial = malloc (sizeof (pixman_radial_gradient_image_t) +
-		     sizeof (pixman_gradient_stop_t) * n_stops);
+    radial = _pixman_malloc_ab_plus_c (n_stops, sizeof (pixman_gradient_stop_t),
+			       sizeof (pixman_radial_gradient_image_t));
     if (!radial)
     {
 	free (image);
