Fix integer overflows in cairo-mempool

The expression "1 << whatever" has type int, no matter what the type of "whatever" is. Thus, "1 << 31" ends up overflowing an "int" and undefined behaviour occurs.

The above happened in cairo-mempool.c. I saw the following line:

pool->free_bytes += 1 << (bits + pool->min_bits);

being executed with bits=15 and pool->min_bits=16, i.e. we had 1 << 31. This ended up being INT_MIN due to the overflow. This was then promoted to size_t and we ended up with a huge value being added to free_bytes.

This is obviously not the intended behaviour. Thus, this commit replaces the "1" in all left shifts in cairo-mempool.c with "((size_t) 1)".

This fix avoids the integer overflow, but it does not fix issue #510, because some allocation keeps the memory pool alive.

Related-to: #510 Signed-off-by: Uli Schlachter psychon@znc.in