image: prevent invalid ptr access for > 4GB images

Image data is often accessed using: image->data + y * image->stride On 64-bit achitectures if the image data is > 4GB, this computation will overflow since both y and stride are 32-bit types. Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=98165 Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
author: Adrian Johnson <ajohnson@redneon.com> 2016-10-20 21:12:30 +1030
committer: Bryce Harrington <bryce@osg.samsung.com> 2017-11-07 17:01:49 -0800
commit: 38fbe621cf80d560cfc27b54b5417b62cda64c8a (patch)
tree: c6fc5177933c3ebb368e7531eb187ba994ae97a4 /src/cairo-mesh-pattern-rasterizer.c
parent: 35fccff6ec393ccca3d3ced79093ca491ce32df4 (diff)
download: cairo-38fbe621cf80d560cfc27b54b5417b62cda64c8a.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/src/cairo-mesh-pattern-rasterizer.c b/src/cairo-mesh-pattern-rasterizer.c
index 1b63ca8a6..e7f0db666 100644
--- a/src/cairo-mesh-pattern-rasterizer.c
+++ b/src/cairo-mesh-pattern-rasterizer.c
@@ -470,7 +470,7 @@ draw_pixel (unsigned char *data, int width, int height, int stride,
 	tg += tg >> 16;
 	tb += tb >> 16;
 
-	*((uint32_t*) (data + y*stride + 4*x)) = ((ta << 16) & 0xff000000) |
+	*((uint32_t*) (data + y*(ptrdiff_t)stride + 4*x)) = ((ta << 16) & 0xff000000) |
 	    ((tr >> 8) & 0xff0000) | ((tg >> 16) & 0xff00) | (tb >> 24);
     }
 }
author	Adrian Johnson <ajohnson@redneon.com>	2016-10-20 21:12:30 +1030
committer	Bryce Harrington <bryce@osg.samsung.com>	2017-11-07 17:01:49 -0800
commit	38fbe621cf80d560cfc27b54b5417b62cda64c8a (patch)
tree	c6fc5177933c3ebb368e7531eb187ba994ae97a4 /src/cairo-mesh-pattern-rasterizer.c
parent	35fccff6ec393ccca3d3ced79093ca491ce32df4 (diff)
download	cairo-38fbe621cf80d560cfc27b54b5417b62cda64c8a.tar.gz