[Pixman] [PATCH] create_bits(): Cast the result of height * stride to size_t

Søren Sandmann soren.sandmann at gmail.com
Wed Apr 9 11:24:03 PDT 2014

In create_bits() both height and stride are ints, so the result is
also an int, which will overflow if height or stride are big enough
and size_t is bigger than int.

This patch simply casts height to size_t to prevent these overflows,
which prevents the crash in:


It's not even close to fixing the full problem of supporting big
images in pixman.

See also

 pixman/pixman-bits-image.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pixman/pixman-bits-image.c b/pixman/pixman-bits-image.c
index f9121a3..dcdcc69 100644
--- a/pixman/pixman-bits-image.c
+++ b/pixman/pixman-bits-image.c
@@ -926,7 +926,7 @@ create_bits (pixman_format_code_t format,
     if (_pixman_multiply_overflows_size (height, stride))
 	return NULL;
-    buf_size = height * stride;
+    buf_size = (size_t)height * stride;
     if (rowstride_bytes)
 	*rowstride_bytes = stride;

More information about the Pixman mailing list