[Libreoffice-commits] core.git: Branch 'libreoffice-7-3' - vcl/headless

Mon, 06 Dec 2021 23:20:02 -0800 

 vcl/headless/svpgdi.cxx |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

New commits:
commit a48b95e57f4f7c71664cb97942d5f7f284a94cef
Author:     Luboš Luňák <l.lu...@collabora.com>
AuthorDate: Mon Dec 6 18:25:55 2021 +0100
Commit:     Luboš Luňák <l.lu...@collabora.com>
CommitDate: Tue Dec 7 08:19:22 2021 +0100

    fix overflow in cairo downscaled bitmap cache (tdf#137719)
    
    In my system, sizeof(long long) == sizeof(long) == 8, so multiplying
    by LONG_MAX overflows long long.
    
    Change-Id: Ieb9613ef05916ef24a64db69f698036ecaf194e2
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/126456
    Tested-by: Jenkins
    Reviewed-by: Luboš Luňák <l.lu...@collabora.com>
    (cherry picked from commit f8ffc971545bb54aaebd227fa841f83660dba99c)
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/126438

diff --git a/vcl/headless/svpgdi.cxx b/vcl/headless/svpgdi.cxx
index 316349088e9e..ac375c3fadf0 100644
--- a/vcl/headless/svpgdi.cxx
+++ b/vcl/headless/svpgdi.cxx
@@ -255,7 +255,7 @@ namespace
     {
     private:
         cairo_surface_t* pSurface;
-        std::unordered_map<unsigned long long, cairo_surface_t*> maDownscaled;
+        std::unordered_map<sal_uInt64, cairo_surface_t*> maDownscaled;
 
         SurfaceHelper(const SurfaceHelper&) = delete;
         SurfaceHelper& operator=(const SurfaceHelper&) = delete;
@@ -302,7 +302,10 @@ namespace
             nH  = (1 == nHFactor) ? nTargetHeight : nH * 2;
 
             // check if we have a downscaled version of required size
-            const unsigned long long key((nW * LONG_MAX) + nH);
+            // bail out if the multiplication for the key would overflow
+            if( nW >= SAL_MAX_UINT32 || nH >= SAL_MAX_UINT32 )
+                return pSurface;
+            const sal_uInt64 key((nW * 
static_cast<sal_uInt64>(SAL_MAX_UINT32)) + nH);
             auto isHit(maDownscaled.find(key));
 
             if(isHit != maDownscaled.end())

Reply via email to