diff options
author | Chris Wilson <chris@chris-wilson.co.uk> | 2008-04-03 17:23:48 +0100 |
---|---|---|
committer | Chris Wilson <chris@chris-wilson.co.uk> | 2008-04-03 17:36:50 +0100 |
commit | cfff3c3bd04df5257176d9e43add52fc6daba329 (patch) | |
tree | 7580d07cc5fa4266ee0707a0d8af206de92d1d6d /src/cairo-array.c | |
parent | 6101dc3e93b20294c75734d7f29e55694ed58e74 (diff) |
[cairo-array] Guard against integer overflow whilst growing the array.
Sanity check the arguments to _cairo_array_grow_by() such that the
array size does not overflow, similar to the defensive checking of
parameters to malloc.
Diffstat (limited to 'src/cairo-array.c')
-rw-r--r-- | src/cairo-array.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/src/cairo-array.c b/src/cairo-array.c index b547b121..053e73ea 100644 --- a/src/cairo-array.c +++ b/src/cairo-array.c @@ -110,15 +110,19 @@ _cairo_array_fini (cairo_array_t *array) * is always increased by doubling as many times as necessary. **/ cairo_status_t -_cairo_array_grow_by (cairo_array_t *array, int additional) +_cairo_array_grow_by (cairo_array_t *array, unsigned int additional) { char *new_elements; - int old_size = array->size; - int required_size = array->num_elements + additional; - int new_size; + unsigned int old_size = array->size; + unsigned int required_size = array->num_elements + additional; + unsigned int new_size; assert (! array->is_snapshot); + /* check for integer overflow */ + if (required_size > INT_MAX || required_size < array->num_elements) + return _cairo_error (CAIRO_STATUS_NO_MEMORY); + if (required_size <= old_size) return CAIRO_STATUS_SUCCESS; |