diff options
author | Ayman El Didi <ayman@eldidi.org> | 2022-02-19 11:59:41 -0700 |
---|---|---|
committer | Ayman El Didi <ayman@eldidi.org> | 2022-02-19 11:59:41 -0700 |
commit | 915dd7942264c76c78e15989476b80ba70f70f64 (patch) | |
tree | ee555f6a1ac7aa6e31fd37d5632ef99448c6a142 /src/cairo-array.c | |
parent | 8f7d039801f4dd0013fa8735aec82af44389ce8a (diff) | |
download | cairo-915dd7942264c76c78e15989476b80ba70f70f64.tar.gz |
fixed some multiplications prone to overflowing their type
In a couple of instances, code is present where two numbers are being
multiplied in a type like unsigned int, but immediately being casted
to a wider type like size_t.
This means, although the result can be any size_t value, the
multiplication can potentially overflow before it's used because
unsigned int has a smaller range of values.
In another more niche case, I also cast to size_t before multiplying
a signed integer, since the result is immediately used as an argument
to memcpy, which would give memory corruption if the value was negative
anyway.
Diffstat (limited to 'src/cairo-array.c')
-rw-r--r-- | src/cairo-array.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/src/cairo-array.c b/src/cairo-array.c index c93714f38..db7b6de7a 100644 --- a/src/cairo-array.c +++ b/src/cairo-array.c @@ -181,7 +181,7 @@ _cairo_array_index (cairo_array_t *array, unsigned int index) assert (index < array->num_elements); - return array->elements + index * array->element_size; + return array->elements + (size_t)index * array->element_size; } /** @@ -225,7 +225,7 @@ _cairo_array_index_const (const cairo_array_t *array, unsigned int index) assert (index < array->num_elements); - return array->elements + index * array->element_size; + return array->elements + (size_t)index * array->element_size; } /** @@ -289,7 +289,7 @@ _cairo_array_append_multiple (cairo_array_t *array, if (unlikely (status)) return status; - memcpy (dest, elements, num_elements * array->element_size); + memcpy (dest, elements, (size_t)num_elements * array->element_size); return CAIRO_STATUS_SUCCESS; } @@ -320,7 +320,7 @@ _cairo_array_allocate (cairo_array_t *array, assert (array->num_elements + num_elements <= array->size); - *elements = array->elements + array->num_elements * array->element_size; + *elements = array->elements + (size_t)array->num_elements * array->element_size; array->num_elements += num_elements; |