diff options
-rw-r--r-- | src/cairo-array.c | 12 | ||||
-rw-r--r-- | src/cairoint.h | 2 |
2 files changed, 9 insertions, 5 deletions
diff --git a/src/cairo-array.c b/src/cairo-array.c index b547b121..053e73ea 100644 --- a/src/cairo-array.c +++ b/src/cairo-array.c @@ -110,15 +110,19 @@ _cairo_array_fini (cairo_array_t *array) * is always increased by doubling as many times as necessary. **/ cairo_status_t -_cairo_array_grow_by (cairo_array_t *array, int additional) +_cairo_array_grow_by (cairo_array_t *array, unsigned int additional) { char *new_elements; - int old_size = array->size; - int required_size = array->num_elements + additional; - int new_size; + unsigned int old_size = array->size; + unsigned int required_size = array->num_elements + additional; + unsigned int new_size; assert (! array->is_snapshot); + /* check for integer overflow */ + if (required_size > INT_MAX || required_size < array->num_elements) + return _cairo_error (CAIRO_STATUS_NO_MEMORY); + if (required_size <= old_size) return CAIRO_STATUS_SUCCESS; diff --git a/src/cairoint.h b/src/cairoint.h index 6a89d715..01ad5675 100644 --- a/src/cairoint.h +++ b/src/cairoint.h @@ -231,7 +231,7 @@ cairo_private void _cairo_array_fini (cairo_array_t *array); cairo_private cairo_status_t -_cairo_array_grow_by (cairo_array_t *array, int additional); +_cairo_array_grow_by (cairo_array_t *array, unsigned int additional); cairo_private void _cairo_array_truncate (cairo_array_t *array, unsigned int num_elements); |