From 4fddb35e247a2d81b9b78ca3543b97da9e9fce45 Mon Sep 17 00:00:00 2001
From: Robin Watts <robin@peeves.(none)>
Date: Mon, 11 Jun 2012 11:49:31 -0700
Subject: Fix Bug 693102: Overflows in large pixmap indexing.

When we allocate a pixmap > 2G, but < 4G, the index into that
pixmap, when calculated as an int can be negative. Fix this with
various casts to unsigned int.

If we ever move to support >4G images we'll need to rejig the
casting to cast each part of the element to ptrdiff_t first.
---
 draw/draw_affine.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'draw/draw_affine.c')

diff --git a/draw/draw_affine.c b/draw/draw_affine.c
index 52b8a847..67dbd37d 100644
--- a/draw/draw_affine.c
+++ b/draw/draw_affine.c
@@ -674,7 +674,7 @@ fz_paint_image_imp(fz_pixmap *dst, fz_bbox scissor, fz_pixmap *shape, fz_pixmap
 		v -= 32768;
 	}
 
-	dp = dst->samples + ((y - dst->y) * dst->w + (x - dst->x)) * dst->n;
+	dp = dst->samples + (unsigned int)(((y - dst->y) * dst->w + (x - dst->x)) * dst->n);
 	n = dst->n;
 	sp = img->samples;
 	sw = img->w;
@@ -682,7 +682,7 @@ fz_paint_image_imp(fz_pixmap *dst, fz_bbox scissor, fz_pixmap *shape, fz_pixmap
 	if (shape)
 	{
 		hw = shape->w;
-		hp = shape->samples + ((y - shape->y) * hw) + x - shape->x;
+		hp = shape->samples + (unsigned int)(((y - shape->y) * hw) + x - shape->x);
 	}
 	else
 	{
-- 
cgit v1.2.3