diff options
| author | Frediano Ziglio <fziglio@redhat.com> | 2015-09-08 10:13:24 +0100 |
|---|---|---|
| committer | Frediano Ziglio <fziglio@redhat.com> | 2015-10-06 11:11:11 +0100 |
| commit | caec52dc77af6ebdac3219a1b10fe2293af21208 (patch) | |
| tree | 64ef207493162a8e6f8d10a1ca235e13efcb71ba /client/glz_decoder_window.cpp | |
| parent | dfaedec7890069b35f513e4a8ab4071ca54259ff (diff) | |
Fix integer overflow computing glyph_size in red_get_string
If bpp is int the formula can lead to weird overflows. width and height
are uint16_t so the formula is:
size_t = u16 * (u16 * int + const_int) / const_int;
so it became
size_t = (int) u16 * ((int) u16 * int + const_int) / const_int;
However the (int) u16 * (int) u16 can then became negative to overflow.
Under 64 bit architectures size_t is 64 and int usually 32 so converting
this negative 32 bit number to a unsigned 64 bit lead to a very big
number as the signed is extended and then converted to unsigned.
Using unsigned arithmetic prevent extending the sign.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
Diffstat (limited to 'client/glz_decoder_window.cpp')
0 files changed, 0 insertions, 0 deletions