Source code
Revision control
Copy as Markdown
Other Tools
From be9ec0aba4720b4cc77957c5e0e259559dddfbda Mon Sep 17 00:00:00 2001
From: Jim Blandy <jimb@red-bean.com>
Date: Wed, 29 Apr 2026 11:34:35 -0700
r=#gfx-reviewers!
In `_compute_xrender_bitmap_size`, avoid arithmetic overflow in
calculating the size needed for the glyph buffer by: rejecting
unreasonable glyph sizes early, and using 64-bit temporaries to
multiply 32-bit values.
---
src/cairo-ft-font.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/cairo-ft-font.c b/src/cairo-ft-font.c
index d1a4f333904f..02481e8b06ed 100644
--- a/src/cairo-ft-font.c
+++ b/src/cairo-ft-font.c
@@ -1031,6 +1031,11 @@ _compute_xrender_bitmap_size(FT_Bitmap *target,
width = ftbit->width;
height = ftbit->rows;
+
+ /* Reject absurd glyph dimensions to avoid overflow below. */
+ if (width < 0 || width > INT_MAX / 4 || height < 0)
+ return -1;
+
pitch = (width + 3) & ~3;
switch (ftbit->pixel_mode) {
@@ -1082,6 +1087,10 @@ _compute_xrender_bitmap_size(FT_Bitmap *target,
target->pitch = pitch;
target->buffer = NULL;
+ /* Reject this size if the multiplication overflows. */
+ if ((cairo_int64_t) pitch * height > INT_MAX)
+ return -1;
+
return pitch * height;
}
--
2.53.0