diff options
| author | Adrian Johnson <ajohnson@redneon.com> | 2016-10-20 21:12:30 +1030 |
|---|---|---|
| committer | Bryce Harrington <bryce@osg.samsung.com> | 2017-11-07 17:01:49 -0800 |
| commit | 38fbe621cf80d560cfc27b54b5417b62cda64c8a (patch) | |
| tree | c6fc5177933c3ebb368e7531eb187ba994ae97a4 /src/cairo-png.c | |
| parent | 35fccff6ec393ccca3d3ced79093ca491ce32df4 (diff) | |
| download | cairo-38fbe621cf80d560cfc27b54b5417b62cda64c8a.tar.gz | |
image: prevent invalid ptr access for > 4GB images
Image data is often accessed using:
image->data + y * image->stride
On 64-bit achitectures if the image data is > 4GB, this computation
will overflow since both y and stride are 32-bit types.
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=98165
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
Diffstat (limited to 'src/cairo-png.c')
| -rw-r--r-- | src/cairo-png.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/cairo-png.c b/src/cairo-png.c index eab2537bc..5ea49f097 100644 --- a/src/cairo-png.c +++ b/src/cairo-png.c @@ -678,7 +678,7 @@ read_png (struct png_read_closure_t *png_closure) } for (i = 0; i < png_height; i++) - row_pointers[i] = &data[i * stride]; + row_pointers[i] = &data[i * (ptrdiff_t)stride]; png_read_image (png, row_pointers); png_read_end (png, info); |