0030-Bug-2027883-Fix-integer-overflow-in-cairo-PDF-surfac.patch

Enable keyboard shortcuts

From f26d9e8cce76c06c31dc56a5cd3864f208fc97bf Mon Sep 17 00:00:00 2001

From: Andy Leiserson <aleiserson@mozilla.com>

Date: Tue, 28 Apr 2026 00:21:30 +0000

Subject: [PATCH] Bug 2027883 - Fix integer overflow in cairo PDF surface image

 emission r=gfx-reviewers,bradwerth

Differential Revision: https://phabricator.services.mozilla.com/D292028

---

 src/cairo-pdf-surface.c | 16 +++++++++-------

 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/src/cairo-pdf-surface.c b/src/cairo-pdf-surface.c

index 3e734c759570..c63577289c9f 100644

--- a/src/cairo-pdf-surface.c

+++ b/src/cairo-pdf-surface.c

@@ -3085,7 +3085,8 @@ _cairo_pdf_surface_emit_smask (cairo_pdf_surface_t	*surface,

     unsigned long alpha_size;

     uint32_t *pixel32;

     uint8_t *pixel8;

-    int i, x, y, bit, a;

+    unsigned long i;

+    int x, y, bit, a;

     cairo_image_transparency_t transparency;

     /* This is the only image format we support, which simplifies things. */

@@ -3103,10 +3104,10 @@ _cairo_pdf_surface_emit_smask (cairo_pdf_surface_t	*surface,

     if (transparency == CAIRO_IMAGE_HAS_BILEVEL_ALPHA || transparency == CAIRO_IMAGE_IS_OPAQUE) {

-	alpha_size = (image->width + 7) / 8 * image->height;

+	alpha_size = (unsigned long) ((image->width + 7) / 8) * image->height;

 	alpha = _cairo_malloc_ab ((image->width+7) / 8, image->height);

     } else {

-	alpha_size = image->height * image->width;

+	alpha_size = (unsigned long) image->height * image->width;

 	alpha = _cairo_malloc_ab (image->height, image->width);

@@ -3221,7 +3222,8 @@ _cairo_pdf_surface_emit_image (cairo_pdf_surface_t              *surface,

     char *data;

     unsigned long data_size;

     uint32_t *pixel;

-    int i, x, y, bit;

+    unsigned long i;

+    int x, y, bit;

     cairo_pdf_resource_t smask = {0}; /* squelch bogus compiler warning */

     cairo_bool_t need_smask;

     cairo_image_color_t color;

@@ -3269,16 +3271,16 @@ _cairo_pdf_surface_emit_image (cairo_pdf_surface_t              *surface,

 	case CAIRO_IMAGE_UNKNOWN_COLOR:

 	    ASSERT_NOT_REACHED;

 	case CAIRO_IMAGE_IS_COLOR:

-	    data_size = image->height * image->width * 3;

+	    data_size = (unsigned long) image->height * image->width * 3;

 	    data = _cairo_malloc_abc (image->width, image->height, 3);

 	    break;

 	case CAIRO_IMAGE_IS_GRAYSCALE:

-	    data_size = image->height * image->width;

+	    data_size = (unsigned long) image->height * image->width;

 	    data = _cairo_malloc_ab (image->width, image->height);

 	    break;

 	case CAIRO_IMAGE_IS_MONOCHROME:

-	    data_size = (image->width + 7) / 8 * image->height;

+	    data_size = (unsigned long) ((image->width + 7) / 8) * image->height;

 	    data = _cairo_malloc_ab ((image->width+7) / 8, image->height);

 	    break;

--

2.53.0