diff --git a/ChangeLog b/ChangeLog
index 87a3558c8..48eef698b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2006-05-02  Adam Jackson  <ajax@freedesktop.org>
+
+	* render/mitri.c:
+	Bug #6642: Fix buffer overflow in Render.  (CVE 2006-1526, patch
+	from Eric Anholt)
+
 2006-04-28  Adam Jackson  <ajax@freedesktop.org>
 
 	* configure.ac:
diff --git a/render/mitri.c b/render/mitri.c
index 974225350..bc2641895 100644
--- a/render/mitri.c
+++ b/render/mitri.c
@@ -145,7 +145,7 @@ miTriStrip (CARD8	    op,
     if (npoint < 3)
 	return;
     ntri = npoint - 2;
-    tris = ALLOCATE_LOCAL (ntri & sizeof (xTriangle));
+    tris = ALLOCATE_LOCAL (ntri * sizeof (xTriangle));
     if (!tris)
 	return;
     for (tri = tris; npoint >= 3; npoint--, points++, tri++)
@@ -177,7 +177,7 @@ miTriFan (CARD8		op,
     if (npoint < 3)
 	return;
     ntri = npoint - 2;
-    tris = ALLOCATE_LOCAL (ntri & sizeof (xTriangle));
+    tris = ALLOCATE_LOCAL (ntri * sizeof (xTriangle));
     if (!tris)
 	return;
     first = points++;