vcl/headless/svpgdi.cxx | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
New commits:
commit 81f61fb61e4a1374957e5b42e46edf114fb24b37
Author: Luboš Luňák <l.lu...@collabora.com>
AuthorDate: Mon Dec 6 18:25:55 2021 +0100
Commit: Adolfo Jayme Barrientos <fit...@ubuntu.com>
CommitDate: Tue Dec 7 17:23:57 2021 +0100
fix overflow in cairo downscaled bitmap cache (tdf#137719)
In my system, sizeof(long long) == sizeof(long) == 8, so multiplying
by LONG_MAX overflows long long.
Change-Id: Ieb9613ef05916ef24a64db69f698036ecaf194e2
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/126456
Tested-by: Jenkins
Reviewed-by: Luboš Luňák <l.lu...@collabora.com>
(cherry picked from commit f8ffc971545bb54aaebd227fa841f83660dba99c)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/126439
Reviewed-by: Adolfo Jayme Barrientos <fit...@ubuntu.com>
diff --git a/vcl/headless/svpgdi.cxx b/vcl/headless/svpgdi.cxx
index 35bbcf656605..f155402a0880 100644
--- a/vcl/headless/svpgdi.cxx
+++ b/vcl/headless/svpgdi.cxx
@@ -256,7 +256,7 @@ namespace
{
private:
cairo_surface_t* pSurface;
- std::unordered_map<unsigned long long, cairo_surface_t*> maDownscaled;
+ std::unordered_map<sal_uInt64, cairo_surface_t*> maDownscaled;
SurfaceHelper(const SurfaceHelper&) = delete;
SurfaceHelper& operator=(const SurfaceHelper&) = delete;
@@ -303,7 +303,10 @@ namespace
nH = (1 == nHFactor) ? nTargetHeight : nH * 2;
// check if we have a downscaled version of required size
- const unsigned long long key((nW * LONG_MAX) + nH);
+ // bail out if the multiplication for the key would overflow
+ if( nW >= SAL_MAX_UINT32 || nH >= SAL_MAX_UINT32 )
+ return pSurface;
+ const sal_uInt64 key((nW *
static_cast<sal_uInt64>(SAL_MAX_UINT32)) + nH);
auto isHit(maDownscaled.find(key));
if(isHit != maDownscaled.end())
