Index: xorg/dbe/dbe.c
===================================================================
RCS file: /cvs/xorg/xserver/xorg/dbe/dbe.c,v
retrieving revision 1.5
diff -u -u -r1.5 dbe.c
--- xorg/dbe/dbe.c	3 Jul 2005 07:01:17 -0000	1.5
+++ xorg/dbe/dbe.c	9 Jan 2007 12:52:24 -0000
@@ -55,6 +55,10 @@
 #include "xf86_ansic.h"
 #endif
 
+#if !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
+
 /* GLOBALS */
 
 /* Per-screen initialization functions [init'ed by DbeRegisterFunction()] */
@@ -733,11 +737,14 @@
         return(Success);
     }
 
+    if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
+	    return BadAlloc;
+
     /* Get to the swap info appended to the end of the request. */
     dbeSwapInfo = (xDbeSwapInfo *)&stuff[1];
 
     /* Allocate array to record swap information. */ 
-    swapInfo = (DbeSwapInfoPtr)ALLOCATE_LOCAL(nStuff * sizeof(DbeSwapInfoRec));
+    swapInfo = (DbeSwapInfoPtr)Xalloc(nStuff * sizeof(DbeSwapInfoRec));
     if (swapInfo == NULL)
     {
         return(BadAlloc);
@@ -752,14 +759,14 @@
         if (!(pWin = SecurityLookupWindow(dbeSwapInfo[i].window, client,
 					  SecurityWriteAccess)))
         {
-            DEALLOCATE_LOCAL(swapInfo);
+            Xfree(swapInfo);
 	    return(BadWindow);
         }
 
         /* Each window must be double-buffered - BadMatch. */
         if (DBE_WINDOW_PRIV(pWin) == NULL)
         {
-            DEALLOCATE_LOCAL(swapInfo);
+            Xfree(swapInfo);
             return(BadMatch);
         }
 
@@ -768,7 +775,7 @@
         {
             if (dbeSwapInfo[i].window == dbeSwapInfo[j].window)
             {
-                DEALLOCATE_LOCAL(swapInfo);
+                Xfree(swapInfo);
                 return(BadMatch);
 	    }
         }
@@ -779,7 +786,7 @@
             (dbeSwapInfo[i].swapAction != XdbeUntouched ) &&
             (dbeSwapInfo[i].swapAction != XdbeCopied    ))
         {
-            DEALLOCATE_LOCAL(swapInfo);
+            Xfree(swapInfo);
             return(BadValue);
         }
 
@@ -809,12 +816,12 @@
         error = (*pDbeScreenPriv->SwapBuffers)(client, &nStuff, swapInfo);
         if (error != Success)
         {
-            DEALLOCATE_LOCAL(swapInfo);
+            Xfree(swapInfo);
             return(error);
         }
     }
     
-    DEALLOCATE_LOCAL(swapInfo);
+    Xfree(swapInfo);
     return(Success);
 
 } /* ProcDbeSwapBuffers() */
@@ -898,10 +905,12 @@
 
     REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
 
+    if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
+	    return BadAlloc;
     /* Make sure any specified drawables are valid. */
     if (stuff->n != 0)
     {
-        if (!(pDrawables = (DrawablePtr *)ALLOCATE_LOCAL(stuff->n *
+        if (!(pDrawables = (DrawablePtr *)Xalloc(stuff->n *
                                                  sizeof(DrawablePtr))))
         {
             return(BadAlloc);
@@ -914,7 +923,7 @@
             if (!(pDrawables[i] = (DrawablePtr)SecurityLookupDrawable(
 				drawables[i], client, SecurityReadAccess)))
             {
-                DEALLOCATE_LOCAL(pDrawables);
+                Xfree(pDrawables);
                 return(BadDrawable);
             }
         }
@@ -926,7 +935,7 @@
     {
         if (pDrawables)
         {
-            DEALLOCATE_LOCAL(pDrawables);
+            Xfree(pDrawables);
         }
 
         return(BadAlloc);
@@ -953,7 +962,7 @@
             /* Free pDrawables if we needed to allocate it above. */
             if (pDrawables)
             {
-                DEALLOCATE_LOCAL(pDrawables);
+                Xfree(pDrawables);
             }
 
             return(BadAlloc);
@@ -1034,7 +1043,7 @@
 
     if (pDrawables)
     {
-        DEALLOCATE_LOCAL(pDrawables);
+        Xfree(pDrawables);
     }
 
     return(client->noClientException);
Index: xorg/render/render.c
===================================================================
RCS file: /cvs/xorg/xserver/xorg/render/render.c,v
retrieving revision 1.12
diff -u -u -r1.12 render.c
--- xorg/render/render.c	28 Aug 2005 19:47:39 -0000	1.12
+++ xorg/render/render.c	9 Jan 2007 12:52:24 -0000
@@ -52,6 +52,10 @@
 #include "xf86_ansic.h"
 #endif
 
+#if !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
+
 static int ProcRenderQueryVersion (ClientPtr pClient);
 static int ProcRenderQueryPictFormats (ClientPtr pClient);
 static int ProcRenderQueryPictIndexValues (ClientPtr pClient);
@@ -1108,11 +1112,14 @@
     }
 
     nglyphs = stuff->nglyphs;
+    if (nglyphs > UINT32_MAX / sizeof(GlyphNewRec))
+	    return BadAlloc;
+
     if (nglyphs <= NLOCALGLYPH)
 	glyphsBase = glyphsLocal;
     else
     {
-	glyphsBase = (GlyphNewPtr) ALLOCATE_LOCAL (nglyphs * sizeof (GlyphNewRec));
+	glyphsBase = (GlyphNewPtr) Xalloc (nglyphs * sizeof (GlyphNewRec));
 	if (!glyphsBase)
 	    return BadAlloc;
     }
@@ -1169,7 +1176,7 @@
     }
 
     if (glyphsBase != glyphsLocal)
-	DEALLOCATE_LOCAL (glyphsBase);
+	Xfree (glyphsBase);
     return client->noClientException;
 bail:
     while (glyphs != glyphsBase)
@@ -1178,7 +1185,7 @@
 	xfree (glyphs->glyph);
     }
     if (glyphsBase != glyphsLocal)
-	DEALLOCATE_LOCAL (glyphsBase);
+	Xfree (glyphsBase);
     return err;
 }