diff -ruN kernel-source-2.4.18-2.4.18-14.2/drivers/char/drm/r128_state.c kernel-source-2.4.18-2.4.18-14.3/drivers/char/drm/r128_state.c
--- kernel-source-2.4.18-2.4.18-14.2/drivers/char/drm/r128_state.c	Thu Aug  9 01:42:15 2001
+++ kernel-source-2.4.18-2.4.18-14.3/drivers/char/drm/r128_state.c	Thu Apr 15 12:43:21 2004
@@ -23,8 +23,22 @@
  * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
  * DEALINGS IN THE SOFTWARE.
  *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * RED HAT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ * THIS SOFTWARE IS NOT INTENDED FOR USE IN SAFETY CRITICAL SYSTEMS
+ *
  * Authors:
  *    Gareth Hughes <gareth@valinux.com>
+ *
+ * Memory allocation size checks added 14/01/2003, Alan Cox <alan@redhat.com>
+ * Memory allocation size checks enhanced 16/02/2004, Thomas Biege <thomas@suse.de>
+ *
  */
 
 #define __NO_VERSION__
@@ -903,6 +917,9 @@
 	DRM_DEBUG( "%s\n", __FUNCTION__ );
 
 	count = depth->n;
+
+	if( count > 4096 || count <= 0)
+		return -EMSGSIZE;
 	if ( copy_from_user( &x, depth->x, sizeof(x) ) ) {
 		return -EFAULT;
 	}
@@ -997,6 +1014,9 @@
 
 	count = depth->n;
 
+	if( count > 4096 || count <= 0)
+		return -EMSGSIZE;
+
 	x = kmalloc( count * sizeof(*x), GFP_KERNEL );
 	if ( x == NULL ) {
 		return -ENOMEM;
@@ -1111,6 +1131,9 @@
 	DRM_DEBUG( "%s\n", __FUNCTION__ );
 
 	count = depth->n;
+
+	if ( count > 4096 || count <= 0)
+		return -EMSGSIZE;
 	if ( copy_from_user( &x, depth->x, sizeof(x) ) ) {
 		return -EFAULT;
 	}
@@ -1153,10 +1176,15 @@
 	DRM_DEBUG( "%s\n", __FUNCTION__ );
 
 	count = depth->n;
+	if ( count > 4096 || count <= 0)
+		return -EMSGSIZE;
 	if ( count > dev_priv->depth_pitch ) {
 		count = dev_priv->depth_pitch;
 	}
+	if( count * sizeof(int) <= 0 || count * sizeof(*x) <= 0 || count * sizeof(*y) <= 0)
+		return -EMSGSIZE;
 
+	
 	x = kmalloc( count * sizeof(*x), GFP_KERNEL );
 	if ( x == NULL ) {
 		return -ENOMEM;
diff -ruN kernel-source-2.4.18-2.4.18-14.2/drivers/char/drm-4.0/r128_state.c kernel-source-2.4.18-2.4.18-14.3/drivers/char/drm-4.0/r128_state.c
--- kernel-source-2.4.18-2.4.18-14.2/drivers/char/drm-4.0/r128_state.c	Tue Feb 26 04:37:57 2002
+++ kernel-source-2.4.18-2.4.18-14.3/drivers/char/drm-4.0/r128_state.c	Thu Apr 15 12:43:21 2004
@@ -26,6 +26,8 @@
  * Authors:
  *    Gareth Hughes <gareth@valinux.com>
  *
+ * Memory allocation size checks added 16/02/2004, Thomas Biege <thomas@suse.de>
+ *
  */
 
 #define __NO_VERSION__
@@ -938,6 +940,9 @@
 	}
 
 	count = depth->n;
+
+	if( count > 4096 || count <= 0)
+		return -EMSGSIZE;
 	if ( copy_from_user( &x, depth->x, sizeof(x) ) ) {
 		return -EFAULT;
 	}
@@ -1047,6 +1052,9 @@
 	}
 
 	count = depth->n;
+	if( count > 4096 || count <= 0 || count * sizeof(*x) <= 0 ||
+	    count * sizeof(*y) <= 0)
+		return -EMSGSIZE;	
 
 	x = kmalloc( count * sizeof(*x), 0 );
 	if ( x == NULL ) {
@@ -1178,6 +1186,9 @@
 	}
 
 	count = depth->n;
+
+	if ( count > 4096 || count <= 0)
+		return -EMSGSIZE;
 	if ( copy_from_user( &x, depth->x, sizeof(x) ) ) {
 		return -EFAULT;
 	}
@@ -1235,9 +1246,13 @@
 	}
 
 	count = depth->n;
+	if ( count > 4096 || count <= 0)
+		return -EMSGSIZE;
 	if ( count > dev_priv->depth_pitch ) {
 		count = dev_priv->depth_pitch;
 	}
+	if( count * sizeof(int) <= 0 || count * sizeof(*x) <= 0 || count * sizeof(*y) <= 0)
+		return -EMSGSIZE;
 
 	x = kmalloc( count * sizeof(*x), 0 );
 	if ( x == NULL ) {