In create_bits() both height and stride are ints, so the result is also an int, which will overflow if height or stride are big enough and size_t is bigger than int.
This patch simply casts height to size_t to prevent these overflows, which prevents the crash in: https://bugzilla.redhat.com/show_bug.cgi?id=972647 It's not even close to fixing the full problem of supporting big images in pixman. See also https://bugs.freedesktop.org/show_bug.cgi?id=69014 --- pixman/pixman-bits-image.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pixman/pixman-bits-image.c b/pixman/pixman-bits-image.c index f9121a3..dcdcc69 100644 --- a/pixman/pixman-bits-image.c +++ b/pixman/pixman-bits-image.c @@ -926,7 +926,7 @@ create_bits (pixman_format_code_t format, if (_pixman_multiply_overflows_size (height, stride)) return NULL; - buf_size = height * stride; + buf_size = (size_t)height * stride; if (rowstride_bytes) *rowstride_bytes = stride; -- 1.8.3.1 _______________________________________________ Pixman mailing list Pixman@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/pixman