Rowstride integer overflow, a wrong idiom
Submitted by Alessandro Vesely
Assigned to Oded Gabbay
Description
Created attachment 126795 patch of pixman-fast-path.c
it is wrong to compute offsets like so:
int rowstride = something;
char *buffer = base_ptr + y*rowstride + x*4;
That idiom fails in 64-bit architectures where integers are 32 bit. Consider a not-so-uncommon A0 poster at 600 dpi. It results in a 19860x28080 image. While width and heights are 16 bit numbers, their product multiplied by a bpp of 4 results in a negative integer.
A better choice than int would be ptrdiff_t (POSIX ssize_t wouldn't work on x86-16, according to http://stackoverflow.com/questions/8649018/what-is-the-difference-between-ssize-t-and-ptrdiff-t)
The patch attached wildly uses (long). I'd suggest to define a one-liner inline function using a well thought cast, which can always be tweaked for specific architectures, should problems arise.
Ale
Patch 126795, "patch of pixman-fast-path.c":
file_97938.txt
Version: git master