vnc and xenfb integer overflow and division by zero vuln fixes

vnc and xenfb integer overflow and division by zero vuln fixes

 row_stride_div0.patch: a malicious frontend can send row_stride==0 and force
 qemu-dm to perform division by 0
 vnc_resize_doublecheck.patch: there is an unchecked multiplication when
 calculating framebuffer size. Cs 17630 sanitizes framebuffer dimensions
 passed by the frontend, so most probably no integer overflow can happen, but
 there should be a check for overflow close to the actual computation (to
 make code review easier and to cope with other codepaths in the future).

 (Patches submitted by Rafal Wojtczuk <rafal@invisiblethingslab.com>
 against xen-3.2 ioemu; adapted for xen-unstable by Ian Jackson and also
 edited to actually compile and do be correct.)

 Contributed-by: Rafal Wojtczuk <rafal@invisiblethingslab.com>
 Modified-by: Ian Jackson <ian.jackson@eu.citrix.com>
 Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>
Cherry picked from xen-unsstable a83c1174b942d0f0f0e05927eb5b69fe8489b7ab

PLUS

 vnc integer overflow check fix overzealous zero checking

 In a83c1174b942d0f0f0e05927eb5b69fe8489b7ab, we arranged to avoid
 integer overflow and calls to realloc(nonzero,0).  However
 vs->depth==0 is legitimate on entry to vnc_dpy_resize_shared.

 We need to move the check for vs->depth until after vnc_colourdepth.

Cherry picked from xen-unstable 81b31c9f37ac4e3584bdfe8e7b04bedcb8940b88

Signed-off-by: Ian Jackson <ian.jackson@eu.citrix.com>