From: Søren Sandmann Date: Wed, 9 Apr 2014 18:14:12 +0000 (-0400) Subject: create_bits(): Cast the result of height * stride to size_t X-Git-Tag: pixman-0.33.2~61 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=857e40f3d2bc2cfb714913e0cd7e6184cf69aca3;p=platform%2Fupstream%2Fpixman.git create_bits(): Cast the result of height * stride to size_t In create_bits() both height and stride are ints, so the result is also an int, which will overflow if height or stride are big enough and size_t is bigger than int. This patch simply casts height to size_t to prevent these overflows, which prevents the crash in: https://bugzilla.redhat.com/show_bug.cgi?id=972647 It's not even close to fixing the full problem of supporting big images in pixman. See also https://bugs.freedesktop.org/show_bug.cgi?id=69014 --- diff --git a/pixman/pixman-bits-image.c b/pixman/pixman-bits-image.c index f9121a3..dcdcc69 100644 --- a/pixman/pixman-bits-image.c +++ b/pixman/pixman-bits-image.c @@ -926,7 +926,7 @@ create_bits (pixman_format_code_t format, if (_pixman_multiply_overflows_size (height, stride)) return NULL; - buf_size = height * stride; + buf_size = (size_t)height * stride; if (rowstride_bytes) *rowstride_bytes = stride;