From ed5fc07f4ec71e1ab2d7e8891d1f2a3824840d7b Mon Sep 17 00:00:00 2001
From: Owen Taylor <otaylor@redhat.com>
Date: Sun, 3 Mar 2002 02:35:25 +0000
Subject: [PATCH] Bullet-proof against integer overflow.

Sat Mar  2 21:28:03 2002  Owen Taylor  <otaylor@redhat.com>

        * gdk-pixbuf.c (gdk_pixbuf_new): Bullet-proof against integer
        overflow.
---
 gdk-pixbuf/ChangeLog    | 11 ++++++++---
 gdk-pixbuf/gdk-pixbuf.c | 17 ++++++++++++++---
 2 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/gdk-pixbuf/ChangeLog b/gdk-pixbuf/ChangeLog
index 84cf318780..3f11592e86 100644
--- a/gdk-pixbuf/ChangeLog
+++ b/gdk-pixbuf/ChangeLog
@@ -1,3 +1,8 @@
+Sat Mar  2 21:28:03 2002  Owen Taylor  <otaylor@redhat.com>
+
+	* gdk-pixbuf.c (gdk_pixbuf_new): Bullet-proof against integer
+	overflow.
+
 2002-03-03  Tor Lillqvist  <tml@iki.fi>
 
 	* gtk-pixbuf.rc.in: Remove.
@@ -18,7 +23,7 @@ Wed Feb 27 18:33:04 2002  Owen Taylor  <otaylor@redhat.com>
 
 	* gdk-pixdata.c (gdk_pixdata_to_csource): Use {} not
 	() to group around string assigned to char[]. (#72767,
-	Tomas Ögren)
+	Tomas Ãgren)
 
 2002-02-21  Havoc Pennington  <hp@pobox.com>
 
@@ -1240,7 +1245,7 @@ Wed Jun 21 16:02:48 2000  Owen Taylor  <otaylor@redhat.com>
 2000-06-05	Mathieu Lacage  <mathieu@gnome.org>
 
 	* configure.in: add some gtk parameters to the
-	GDK_PIXBUF_LIB²S and GDK_PIXBUG_INCLUDEDIR vars. One more
+	GDK_PIXBUF_LIBÂ²S and GDK_PIXBUG_INCLUDEDIR vars. One more
 	fight in my crusade for strange prefix compile...
 
 2000-05-30  Not Zed  <NotZed@HelixCode.com>
@@ -1337,7 +1342,7 @@ Fri May  5 12:16:32 2000  Owen Taylor  <otaylor@redhat.com>
 	* gdk-pixbuf/Makefile.am (INCLUDES): Add $(GNOME_CFLAGS).
 	Reported by Jens Finke.
 
-2000-04-14 Tomasz K³opczko <kloczek@pld.org.pl>
+2000-04-14 Tomasz KÂ³opczko <kloczek@pld.org.pl>
 
 	* gdk-pixbuf/pixops/makefile.am: $(LIBART_CFLAGS) replaced by 
 	$(GTK_CFLAGS) - now gdk-pixbuf compiles correctly.
diff --git a/gdk-pixbuf/gdk-pixbuf.c b/gdk-pixbuf/gdk-pixbuf.c
index 93c4c6db2c..995fe4d915 100644
--- a/gdk-pixbuf/gdk-pixbuf.c
+++ b/gdk-pixbuf/gdk-pixbuf.c
@@ -144,18 +144,29 @@ gdk_pixbuf_new (GdkColorspace colorspace, gboolean has_alpha, int bits_per_sampl
 	guchar *buf;
 	int channels;
 	int rowstride;
+        gsize bytes;
 
 	g_return_val_if_fail (colorspace == GDK_COLORSPACE_RGB, NULL);
 	g_return_val_if_fail (bits_per_sample == 8, NULL);
 	g_return_val_if_fail (width > 0, NULL);
 	g_return_val_if_fail (height > 0, NULL);
 
-	/* Always align rows to 32-bit boundaries */
+        if (width <= 0 || height <= 0)
+                return NULL;
 
 	channels = has_alpha ? 4 : 3;
-	rowstride = 4 * ((channels * width + 3) / 4);
+        rowstride = width * channels;
+        if (rowstride / channels != width || rowstride + 3 < 0) /* overflow */
+                return NULL;
+        
+	/* Always align rows to 32-bit boundaries */
+	rowstride = (rowstride + 3) & ~3;
 
-	buf = g_try_malloc (height * rowstride);
+        bytes = height * rowstride;
+        if (bytes / rowstride !=  height) /* overflow */
+                return NULL;
+            
+	buf = g_try_malloc (bytes);
 	if (!buf)
 		return NULL;