create_bits(): Cast the result of height * stride to size_t

In create_bits() both height and stride are ints, so the result is
also an int, which will overflow if height or stride are big enough
and size_t is bigger than int.

This patch simply casts height to size_t to prevent these overflows,
which prevents the crash in:

    https://bugzilla.redhat.com/show_bug.cgi?id=972647

It's not even close to fixing the full problem of supporting big
images in pixman.

See also

    https://bugs.freedesktop.org/show_bug.cgi?id=69014

diff --git a/pixman/pixman-bits-image.c b/pixman/pixman-bits-image.c
index f9121a3..dcdcc69 100644 (file)
--- a/pixman/pixman-bits-image.c
+++ b/pixman/pixman-bits-image.c
@@ -926,7 +926,7 @@ create_bits (pixman_format_code_t format,
     if (_pixman_multiply_overflows_size (height, stride))
        return NULL;
 
-    buf_size = height * stride;
+    buf_size = (size_t)height * stride;
 
     if (rowstride_bytes)
        *rowstride_bytes = stride;