diff options
| author | Søren Sandmann Pedersen <sandmann@annarchy.freedesktop.org> | 2007-07-02 08:33:29 -0700 |
|---|---|---|
| committer | Søren Sandmann Pedersen <sandmann@annarchy.freedesktop.org> | 2007-07-02 08:33:29 -0700 |
| commit | ef967be630dd8d0bf81ad5889d6264bebe7631d4 (patch) | |
| tree | bd13259091acc26ed8563790f04982f509351a62 /src/cairo-glitz-surface.c | |
| parent | 0c42dbb1925efb8228fb5246e0715bee0a5ded28 (diff) | |
| parent | 5c7d2d14d78e4dfb1ef6d2c40f0910f177e07360 (diff) | |
Merge branch 'master' of git+ssh://sandmann@git.freedesktop.org/git/cairo
Conflicts:
pixman/src/fbcompose.c
pixman/src/icimage.c
pixman/src/pixmanint.h
pixman/src/pixregionint.h
src/cairo-clip.c
Diffstat (limited to 'src/cairo-glitz-surface.c')
| -rw-r--r-- | src/cairo-glitz-surface.c | 34 |
1 files changed, 29 insertions, 5 deletions
diff --git a/src/cairo-glitz-surface.c b/src/cairo-glitz-surface.c index 573ee818..71351803 100644 --- a/src/cairo-glitz-surface.c +++ b/src/cairo-glitz-surface.c @@ -238,7 +238,7 @@ _cairo_glitz_surface_get_image (cairo_glitz_surface_t *surface, pf.bytes_per_line = (((width * masks.bpp) / 8) + 3) & -4; pf.scanline_order = GLITZ_PIXEL_SCANLINE_ORDER_TOP_DOWN; - pixels = malloc (height * pf.bytes_per_line); + pixels = _cairo_malloc_ab (height, pf.bytes_per_line); if (!pixels) return CAIRO_STATUS_NO_MEMORY; @@ -691,8 +691,22 @@ _cairo_glitz_pattern_acquire_surface (cairo_pattern_t *pattern, n_params = gradient->n_stops * 3 + n_base_params; - data = malloc (sizeof (glitz_fixed16_16_t) * n_params + - sizeof (unsigned int) * gradient->n_stops); + /* check for int overflow */ + { + int size1, size2; + if (n_params >= INT32_MAX / sizeof (glitz_fixed16_16_t) || + gradient->n_stops >= INT32_MAX / sizeof (unsigned int)) + return CAIRO_STATUS_NO_MEMORY; + + size1 = n_params * sizeof (glitz_fixed16_16_t); + size2 = gradient->n_stops * sizeof (unsigned int); + + if (size1 >= INT32_MAX - size2) + return CAIRO_STATUS_NO_MEMORY; + + data = malloc (size1 + size2); + } + if (!data) return CAIRO_STATUS_NO_MEMORY; @@ -2056,9 +2070,19 @@ _cairo_glitz_surface_old_show_glyphs (cairo_scaled_font_t *scaled_font, if (num_glyphs > N_STACK_BUF) { char *data; + int size1, size2; + + if (num_glyphs >= INT32_MAX / sizeof(void*) || + num_glyphs >= INT32_MAX / sizeof(glitz_float_t) || + (num_glyphs * sizeof(glitz_float_t)) >= INT32_MAX / 16) + goto FAIL1; + + size1 = num_glyphs * sizeof(void *); + size2 = num_glyphs * sizeof(glitz_float_t) * 16; + if (size1 >= INT32_MAX - size2) + goto FAIL1; - data = malloc (num_glyphs * sizeof (void *) + - num_glyphs * sizeof (glitz_float_t) * 16); + data = malloc (size1 + size2); if (!data) goto FAIL1; |