--- qt-win-opensource-src-4.2.0/src/gui/image/qimage.cpp	2006-09-29 16:39:24.000000000 +0200
+++ qt-win-opensource-src-4.2.1/src/gui/image/qimage.cpp	2006-10-20 10:02:18.000000000 +0200
@@ -218,12 +218,12 @@
 
 QImageData * QImageData::create(const QSize &size, QImage::Format format, int numColors)
 {
-    int width = size.width();
-    int height = size.height();
-    if (width <= 0 || height <= 0 || numColors < 0 || format == QImage::Format_Invalid)
+    if (!size.isValid() || numColors < 0 || format == QImage::Format_Invalid)
         return 0;                                // invalid parameter(s)
+    uint width = size.width();
+    uint height = size.height();
 
-    int depth = 0;
+    uint depth = 0;
     switch(format) {
     case QImage::NImageFormats:
     case QImage::Format_Invalid:
@@ -250,6 +250,15 @@
         break;
     }
 
+    const int bytes_per_line = ((width * depth + 31) >> 5) << 2; // bytes per scanline (must be multiple of 8)
+
+    // sanity check for potential overflows
+    if (INT_MAX/depth < width
+        || bytes_per_line <= 0
+        || INT_MAX/uint(bytes_per_line) < height
+        || INT_MAX/sizeof(uchar *) < uint(height))
+        return 0;
+
     QImageData *d = new QImageData;
     d->colortable.resize(numColors);
     if (depth == 1) {
@@ -266,7 +275,7 @@
     d->format = format;
     d->has_alpha_clut = false;
 
-    d->bytes_per_line = ((width * d->depth + 31) >> 5) << 2; // bytes per scanline (must be multiple of 8)
+    d->bytes_per_line = bytes_per_line;
 
     d->nbytes = d->bytes_per_line*height;
     d->data  = (uchar *)malloc(d->nbytes);
@@ -793,7 +802,13 @@
     : QPaintDevice()
 {
     d = 0;
-    if (format == Format_Invalid || width <= 0 || height <= 0 || !data)
+    const int depth = depthForFormat(format);
+    const int bytes_per_line = ((width * d->depth + 31)/32) * 4;
+    if (format == Format_Invalid || width <= 0 || height <= 0 || !data
+        || INT_MAX/sizeof(uchar *) < uint(height)
+        || INT_MAX/uint(depth) < uint(width)
+        || bytes_per_line <= 0
+        || INT_MAX/uint(bytes_per_line) < uint(height))
         return;                                        // invalid parameter(s)
     d = new QImageData;
     d->ref.ref();
@@ -802,10 +817,10 @@
     d->data = data;
     d->width = width;
     d->height = height;
-    d->depth = depthForFormat(format);
+    d->depth = depth;
     d->format = format;
 
-    d->bytes_per_line = ((width * d->depth + 31)/32) * 4;
+    d->bytes_per_line = bytes_per_line;
     d->nbytes = d->bytes_per_line * height;
 }
 
@@ -1065,7 +1080,13 @@
     Format f = formatFor(depth, bitOrder);
     if (f == Format_Invalid)
         return;
-    if (w <= 0 || h <= 0 || numColors < 0 || !data)
+
+    const int bytes_per_line = ((w*depth+31)/32)*4;        // bytes per scanline
+    if (w <= 0 || h <= 0 || numColors < 0 || !data
+        || INT_MAX/sizeof(uchar *) < uint(h)
+        || INT_MAX/uint(depth) < uint(w)
+        || bytes_per_line <= 0
+        || INT_MAX/uint(bytes_per_line) < uint(h))
         return;                                        // invalid parameter(s)
     d = new QImageData;
     d->ref.ref();
@@ -1079,7 +1100,7 @@
     if (depth == 32)
         numColors = 0;
 
-    d->bytes_per_line = ((w*depth+31)/32)*4;        // bytes per scanline
+    d->bytes_per_line = bytes_per_line;
     d->nbytes = d->bytes_per_line * h;
     if (colortable) {
         d->colortable.resize(numColors);
@@ -1114,7 +1135,11 @@
     Format f = formatFor(depth, bitOrder);
     if (f == Format_Invalid)
         return;
-    if (!data || w <= 0 || h <= 0 || depth <= 0 || numColors < 0)
+    if (!data || w <= 0 || h <= 0 || depth <= 0 || numColors < 0
+        || INT_MAX/sizeof(uchar *) < uint(h)
+        || INT_MAX/uint(depth) < uint(w)
+        || bpl <= 0
+        || INT_MAX/uint(bpl) < uint(h))
         return;                                        // invalid parameter(s)
 
     d = new QImageData;