[cairo-array] Guard against integer overflow whilst growing the array.

Sanity check the arguments to _cairo_array_grow_by() such that the array size does not overflow, similar to the defensive checking of parameters to malloc.
author: Chris Wilson <chris@chris-wilson.co.uk> 2008-04-03 17:23:48 +0100
committer: Chris Wilson <chris@chris-wilson.co.uk> 2008-04-03 17:36:50 +0100
commit: cfff3c3bd04df5257176d9e43add52fc6daba329 (patch)
tree: 7580d07cc5fa4266ee0707a0d8af206de92d1d6d /src/cairo-array.c
parent: 6101dc3e93b20294c75734d7f29e55694ed58e74 (diff)
download: cairo-cfff3c3bd04df5257176d9e43add52fc6daba329.tar.gz
1 files changed, 8 insertions, 4 deletions
diff --git a/src/cairo-array.c b/src/cairo-array.c
index b547b121d..053e73ea2 100644
--- a/src/cairo-array.c
+++ b/src/cairo-array.c
@@ -110,15 +110,19 @@ _cairo_array_fini (cairo_array_t *array)
  * is always increased by doubling as many times as necessary.
  **/
 cairo_status_t
-_cairo_array_grow_by (cairo_array_t *array, int additional)
+_cairo_array_grow_by (cairo_array_t *array, unsigned int additional)
 {
     char *new_elements;
-    int old_size = array->size;
-    int required_size = array->num_elements + additional;
-    int new_size;
+    unsigned int old_size = array->size;
+    unsigned int required_size = array->num_elements + additional;
+    unsigned int new_size;
 
     assert (! array->is_snapshot);
 
+    /* check for integer overflow */
+    if (required_size > INT_MAX || required_size < array->num_elements)
+	return _cairo_error (CAIRO_STATUS_NO_MEMORY);
+
     if (required_size <= old_size)
 	return CAIRO_STATUS_SUCCESS;
author	Chris Wilson <chris@chris-wilson.co.uk>	2008-04-03 17:23:48 +0100
committer	Chris Wilson <chris@chris-wilson.co.uk>	2008-04-03 17:36:50 +0100
commit	cfff3c3bd04df5257176d9e43add52fc6daba329 (patch)
tree	7580d07cc5fa4266ee0707a0d8af206de92d1d6d /src/cairo-array.c
parent	6101dc3e93b20294c75734d7f29e55694ed58e74 (diff)
download	cairo-cfff3c3bd04df5257176d9e43add52fc6daba329.tar.gz