diff options
author | Luboš Luňák <l.lunak@collabora.com> | 2021-12-06 18:25:55 +0100 |
---|---|---|
committer | Michael Meeks <michael.meeks@collabora.com> | 2021-12-07 11:37:47 +0100 |
commit | 4f2b055d2ba7f5260f6417af5f6cadb027d178b9 (patch) | |
tree | 97cd5d09102673b204251fe8d189875e60e6b691 /vcl | |
parent | 0579e4dd91e7fd2e0574e3919b921e930642f8dd (diff) |
fix overflow in cairo downscaled bitmap cache (tdf#137719)
In my system, sizeof(long long) == sizeof(long) == 8, so multiplying
by LONG_MAX overflows long long.
Change-Id: Ieb9613ef05916ef24a64db69f698036ecaf194e2
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/126433
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
Diffstat (limited to 'vcl')
-rw-r--r-- | vcl/headless/svpgdi.cxx | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/vcl/headless/svpgdi.cxx b/vcl/headless/svpgdi.cxx index 3db871c29da4..56010ff7ca14 100644 --- a/vcl/headless/svpgdi.cxx +++ b/vcl/headless/svpgdi.cxx @@ -258,7 +258,7 @@ namespace { private: cairo_surface_t* pSurface; - std::unordered_map<unsigned long long, cairo_surface_t*> maDownscaled; + std::unordered_map<sal_uInt64, cairo_surface_t*> maDownscaled; SurfaceHelper(const SurfaceHelper&) = delete; SurfaceHelper& operator=(const SurfaceHelper&) = delete; @@ -305,7 +305,10 @@ namespace nH = (1 == nHFactor) ? nTargetHeight : nH * 2; // check if we have a downscaled version of required size - const unsigned long long key((nW * LONG_MAX) + nH); + // bail out if the multiplication for the key would overflow + if( nW >= SAL_MAX_UINT32 || nH >= SAL_MAX_UINT32 ) + return pSurface; + const sal_uInt64 key((nW * static_cast<sal_uInt64>(SAL_MAX_UINT32)) + nH); auto isHit(maDownscaled.find(key)); if(isHit != maDownscaled.end()) |