Bug #594: CAN-2005-2495: Fix exploitable integer overflow in pixmap

creation, where we could create a far smaller pixmap than we thought,
    allowing changes to arbitrary chunks of memory. (Søren Sandmann
    Pedersen)

cfb/cfbpixmap.c

@@ -72,10 +72,13 @@ cfbCreatePixmap (pScreen, width, height, depth)
     int		depth;
 {
     PixmapPtr pPixmap;
-    int datasize;
-    int paddedWidth;
+    size_t datasize;
+    size_t paddedWidth;
 
     paddedWidth = PixmapBytePad(width, depth);
+
+    if (paddedWidth / 4 > 32767 || height > 32767)
+	return NullPixmap;
     datasize = height * paddedWidth;
     pPixmap = AllocatePixmap(pScreen, datasize);
     if (!pPixmap)