diff --git a/ChangeLog b/ChangeLog
index ee49957bf..40ab8cb6a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2008-10-31 Fred Kiefer <FredKiefer@gmx.de>
+
+	* Source/NSBitmapImageRep+ICNS.m
+	(icns_get_image32_with_mask_from_family):  Protect against buffer
+	overfow detected by valgrind. 
+
+2008-10-29 Fred Kiefer <FredKiefer@gmx.de>
+
+	* Source/NSBrowser.m (-drawTitle:inRect:ofColumn:, -dealloc): Set
+	and unset the ownership of the shared title cell.
+	Patch by Matt Rice <ratmice@gmail.com>.
+
 2008-10-24 Fred Kiefer <FredKiefer@gmx.de>
 
 	* Source/NSMenu.m (-indexOfItemWithTarget:andAction:): Compare the
diff --git a/Source/NSBitmapImageRep+ICNS.m b/Source/NSBitmapImageRep+ICNS.m
index 7abc0bf3d..548d761e0 100644
--- a/Source/NSBitmapImageRep+ICNS.m
+++ b/Source/NSBitmapImageRep+ICNS.m
@@ -327,6 +327,7 @@ static int icns_get_image32_with_mask_from_family(icns_family_t *iconFamily,
   int j;
   int res;
   icns_type_t mask_type;
+  unsigned int imageDataSize;
 
   if (icns_types_equal(type, ICNS_NULL_TYPE))
     return 1;
@@ -348,6 +349,7 @@ static int icns_get_image32_with_mask_from_family(icns_family_t *iconFamily,
       return 1;
     }
 
+  imageDataSize = iconImage->imageDataSize;
   if ((element->elementSize - ICNS_HEADER_SIZE) < 
       3 * iconImage->imageHeight * iconImage->imageWidth)
     {
@@ -364,16 +366,18 @@ static int icns_get_image32_with_mask_from_family(icns_family_t *iconFamily,
             {
               icns_byte_t bv = *b++;
               int runLen;
+              unsigned int index = samplesPerPixel * offset + plane;
               
               if (bv & 0x80)
                 {
                   // Compressed run
                   icns_byte_t val = *b++;
+
                   runLen = bv - 125;
-                  for (j = 0; j < runLen; j++)
+                  for (j = 0; (j < runLen) && (index < imageDataSize); j++)
                     {
-                      iconImage->imageData[samplesPerPixel * (offset + j) 
-                                           + plane] = val;
+                      iconImage->imageData[index] = val;
+                      index += samplesPerPixel;
                     }
                 }
               else
@@ -382,10 +386,10 @@ static int icns_get_image32_with_mask_from_family(icns_family_t *iconFamily,
                   int j;
                   
                   runLen = bv + 1;
-                  for (j = 0; j < runLen; j++)
+                  for (j = 0; (j < runLen) && (index < imageDataSize); j++)
                     {
-                      iconImage->imageData[samplesPerPixel * (offset + j)
-                                           + plane] = *b++;
+                      iconImage->imageData[index] = *b++;
+                      index += samplesPerPixel;
                     }
                 }
               
diff --git a/Source/NSBrowser.m b/Source/NSBrowser.m
index 066f6d937..2ecad54d7 100644
--- a/Source/NSBrowser.m
+++ b/Source/NSBrowser.m
@@ -1453,6 +1453,7 @@ static NSTextFieldCell *titleCell;
   if (!_isTitled || !NSBR_COLUMN_IS_VISIBLE(column))
     return;
 
+  [titleCell setControlView: self];
   [titleCell setStringValue: title];
   [titleCell drawWithFrame: aRect inView: self];
 }
@@ -2258,6 +2259,11 @@ static NSTextFieldCell *titleCell;
 
 - (void) dealloc
 {
+  if ([titleCell controlView] == self)
+    {
+      [titleCell setControlView: nil];
+    }
+
   RELEASE(_browserCellPrototype);
   RELEASE(_pathSeparator);
   RELEASE(_horizontalScroller);