--- vnc_unixsrc/Xvnc/programs/Xserver/Xext/xcmisc.c.cve-2007-1003	2000-06-11 06:00:51.000000000 -0600
+++ vnc_unixsrc/Xvnc/programs/Xserver/Xext/xcmisc.c	2007-03-22 07:07:34.000000000 -0600
@@ -41,6 +41,12 @@ from the X Consortium.
 #include "swaprep.h"
 #include "xcmiscstr.h"
 
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
+
 static unsigned char XCMiscCode;
 
 static void XCMiscResetProc(
@@ -135,7 +141,10 @@ ProcXCMiscGetXIDList(client)
 
     REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq);
 
-    pids = (XID *)ALLOCATE_LOCAL(stuff->count * sizeof(XID));
+    if (stuff->count > UINT32_MAX / sizeof(XID))
+	    return BadAlloc;
+
+    pids = (XID *)Xalloc(stuff->count * sizeof(XID));
     if (!pids)
     {
 	return BadAlloc;
@@ -156,7 +165,7 @@ ProcXCMiscGetXIDList(client)
     	client->pSwapReplyFunc = (ReplySwapPtr) Swap32Write;
 	WriteSwappedDataToClient(client, count * sizeof(XID), pids);
     }
-    DEALLOCATE_LOCAL(pids);
+    Xfree(pids);
     return(client->noClientException);
 }