From cfff3c3bd04df5257176d9e43add52fc6daba329 Mon Sep 17 00:00:00 2001
From: Chris Wilson <chris@chris-wilson.co.uk>
Date: Thu, 3 Apr 2008 17:23:48 +0100
Subject: [cairo-array] Guard against integer overflow whilst growing the
 array.

Sanity check the arguments to _cairo_array_grow_by() such that the
array size does not overflow, similar to the defensive checking of
parameters to malloc.
---
 src/cairo-array.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

(limited to 'src/cairo-array.c')

diff --git a/src/cairo-array.c b/src/cairo-array.c
index b547b121d..053e73ea2 100644
--- a/src/cairo-array.c
+++ b/src/cairo-array.c
@@ -110,15 +110,19 @@ _cairo_array_fini (cairo_array_t *array)
  * is always increased by doubling as many times as necessary.
  **/
 cairo_status_t
-_cairo_array_grow_by (cairo_array_t *array, int additional)
+_cairo_array_grow_by (cairo_array_t *array, unsigned int additional)
 {
     char *new_elements;
-    int old_size = array->size;
-    int required_size = array->num_elements + additional;
-    int new_size;
+    unsigned int old_size = array->size;
+    unsigned int required_size = array->num_elements + additional;
+    unsigned int new_size;
 
     assert (! array->is_snapshot);
 
+    /* check for integer overflow */
+    if (required_size > INT_MAX || required_size < array->num_elements)
+	return _cairo_error (CAIRO_STATUS_NO_MEMORY);
+
     if (required_size <= old_size)
 	return CAIRO_STATUS_SUCCESS;
 
-- 
cgit v1.2.1