summaryrefslogtreecommitdiff
path: root/src/cairo-array.c
diff options
context:
space:
mode:
authorAyman El Didi <ayman@eldidi.org>2022-02-19 11:59:41 -0700
committerAyman El Didi <ayman@eldidi.org>2022-02-19 11:59:41 -0700
commit915dd7942264c76c78e15989476b80ba70f70f64 (patch)
treeee555f6a1ac7aa6e31fd37d5632ef99448c6a142 /src/cairo-array.c
parent8f7d039801f4dd0013fa8735aec82af44389ce8a (diff)
downloadcairo-915dd7942264c76c78e15989476b80ba70f70f64.tar.gz
fixed some multiplications prone to overflowing their type
In a couple of instances, code is present where two numbers are being multiplied in a type like unsigned int, but immediately being casted to a wider type like size_t. This means, although the result can be any size_t value, the multiplication can potentially overflow before it's used because unsigned int has a smaller range of values. In another more niche case, I also cast to size_t before multiplying a signed integer, since the result is immediately used as an argument to memcpy, which would give memory corruption if the value was negative anyway.
Diffstat (limited to 'src/cairo-array.c')
-rw-r--r--src/cairo-array.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/src/cairo-array.c b/src/cairo-array.c
index c93714f38..db7b6de7a 100644
--- a/src/cairo-array.c
+++ b/src/cairo-array.c
@@ -181,7 +181,7 @@ _cairo_array_index (cairo_array_t *array, unsigned int index)
assert (index < array->num_elements);
- return array->elements + index * array->element_size;
+ return array->elements + (size_t)index * array->element_size;
}
/**
@@ -225,7 +225,7 @@ _cairo_array_index_const (const cairo_array_t *array, unsigned int index)
assert (index < array->num_elements);
- return array->elements + index * array->element_size;
+ return array->elements + (size_t)index * array->element_size;
}
/**
@@ -289,7 +289,7 @@ _cairo_array_append_multiple (cairo_array_t *array,
if (unlikely (status))
return status;
- memcpy (dest, elements, num_elements * array->element_size);
+ memcpy (dest, elements, (size_t)num_elements * array->element_size);
return CAIRO_STATUS_SUCCESS;
}
@@ -320,7 +320,7 @@ _cairo_array_allocate (cairo_array_t *array,
assert (array->num_elements + num_elements <= array->size);
- *elements = array->elements + array->num_elements * array->element_size;
+ *elements = array->elements + (size_t)array->num_elements * array->element_size;
array->num_elements += num_elements;
View Lorry Controller Status