It is possible to trigger heap overflows due to an integer
overflow while parsing images and a signedness issue while
parsing comments.
The integer overflow occurs because the chosen limit 0x10000
for dimensions is too large for 32 bit systems, because each pixel
takes 4 bytes. Properly chosen values allow an overflow which in
turn will lead to less allocated memory than needed for subsequent
reads.
The signedness bug is triggered by reading the length of a comment
as unsigned int, but casting it to int when calling the function
XcursorCommentCreate. Turning length into a negative value allows
the check against XCURSOR_COMMENT_MAX_LEN to pass, and the following
addition of sizeof (XcursorComment) + 1 makes it possible to
allocate less memory than needed for subsequent reads.