From ebd929685f68572832269e7574802957e966ea7f Mon Sep 17 00:00:00 2001
From: Chris Wilson <chris@chris-wilson.co.uk>
Date: Thu, 16 Aug 2007 22:10:06 +0100
Subject: [PATCH] Protect pixel allocation from integer overflow.

Check the row stride and total image size for potential integer
overflows before allocating memory.
---
 pixman/pixman-image.c |   18 ++++++++++++------
 1 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/pixman/pixman-image.c b/pixman/pixman-image.c
index 2cbf88c..dfa4430 100644
--- a/pixman/pixman-image.c
+++ b/pixman/pixman-image.c
@@ -280,18 +280,22 @@ create_bits (pixman_format_code_t format,
 	     int		  height,
 	     int		 *rowstride_bytes)
 {
-    int stride;
-    int buf_size;
     int bpp;
-    
+    int stride;
+
     bpp = PIXMAN_FORMAT_BPP (format);
+    if ((unsigned) width >= INT32_MAX / (unsigned) bpp ||
+	    (unsigned) FB_MASK >= INT32_MAX - (unsigned) (width * bpp))
+	return NULL;
+
     stride = ((width * bpp + FB_MASK) >> FB_SHIFT) * sizeof (uint32_t);
-    buf_size = height * stride;
+    if ((unsigned) height >= INT32_MAX / (unsigned) stride)
+	return NULL;
 
     if (rowstride_bytes)
 	*rowstride_bytes = stride;
 
-    return calloc (buf_size, 1);
+    return calloc (stride, height);
 }
 
 static void
@@ -334,8 +338,10 @@ pixman_image_create_bits (pixman_format_code_t  format,
     
     image = allocate_image();
 
-    if (!image)
+    if (!image) {
+	free (free_me);
 	return NULL;
+    }
     
     image->type = BITS;
     image->bits.format = format;
-- 
1.5.2.4