From 857e40f3d2bc2cfb714913e0cd7e6184cf69aca3 Mon Sep 17 00:00:00 2001 From: =?utf8?q?S=C3=B8ren=20Sandmann?= Date: Wed, 9 Apr 2014 14:14:12 -0400 Subject: [PATCH] create_bits(): Cast the result of height * stride to size_t In create_bits() both height and stride are ints, so the result is also an int, which will overflow if height or stride are big enough and size_t is bigger than int. This patch simply casts height to size_t to prevent these overflows, which prevents the crash in: https://bugzilla.redhat.com/show_bug.cgi?id=972647 It's not even close to fixing the full problem of supporting big images in pixman. See also https://bugs.freedesktop.org/show_bug.cgi?id=69014 --- pixman/pixman-bits-image.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pixman/pixman-bits-image.c b/pixman/pixman-bits-image.c index f9121a3..dcdcc69 100644 --- a/pixman/pixman-bits-image.c +++ b/pixman/pixman-bits-image.c @@ -926,7 +926,7 @@ create_bits (pixman_format_code_t format, if (_pixman_multiply_overflows_size (height, stride)) return NULL; - buf_size = height * stride; + buf_size = (size_t)height * stride; if (rowstride_bytes) *rowstride_bytes = stride; -- 2.7.4