From cd8499f5f00ddf12358be8d91de4575caaf4a855 Mon Sep 17 00:00:00 2001
From: Qualys Security Advisory <qsa@qualys.com>
Date: Thu, 1 Jan 1970 00:00:00 +0000
Subject: [PATCH] 0015-tload: Prevent integer overflows of ncols, nrows, and
 scr_size.

Also, use xerrx() instead of xerr() since errno is not set.
---
 tload.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/tload.c b/tload.c
index 4aa4be17..a2cebdfb 100644
--- a/tload.c
+++ b/tload.c
@@ -42,6 +42,7 @@
 #include <sys/ioctl.h>
 #include <termios.h>
 #include <unistd.h>
+#include <limits.h>
 
 static char *screen;
 
@@ -69,9 +70,13 @@ static void setsize(int i)
 		if (win.ws_row > 0)
 			nrows = win.ws_row;
 	}
+	if (ncols < 2 || ncols >= INT_MAX)
+		xerrx(EXIT_FAILURE, _("screen too small or too large"));
+	if (nrows < 2 || nrows >= INT_MAX / ncols)
+		xerrx(EXIT_FAILURE, _("screen too small or too large"));
 	scr_size = nrows * ncols;
 	if (scr_size < 2)
-		xerr(EXIT_FAILURE, _("screen too small"));
+		xerrx(EXIT_FAILURE, _("screen too small"));
 	if (screen == NULL)
 		screen = (char *)xmalloc(scr_size);
 	else