From 94ac1bbc85f71ea5ba0d2c74bb45b02bb7298140 Mon Sep 17 00:00:00 2001 From: Paul Cornett Date: Tue, 29 Oct 2019 19:59:31 -0700 Subject: [PATCH] Fix crash in wxImage::Scale() Caused by arithmetic overflow of a signed addition and subsequent right-shift of that (now negative) value and use as an array index. Could only realistically occur on platforms where long is 32 bits. See #18550 --- src/common/image.cpp | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/common/image.cpp b/src/common/image.cpp index a6575bb25c..f21b0318f2 100644 --- a/src/common/image.cpp +++ b/src/common/image.cpp @@ -526,21 +526,21 @@ wxImage wxImage::ResampleNearest(int width, int height) const } } - long old_height = M_IMGDATA->m_height, - old_width = M_IMGDATA->m_width; - long x_delta = (old_width<<16) / width; - long y_delta = (old_height<<16) / height; + const unsigned long old_height = M_IMGDATA->m_height; + const unsigned long old_width = M_IMGDATA->m_width; + const unsigned long x_delta = (old_width << 16) / width; + const unsigned long y_delta = (old_height << 16) / height; unsigned char* dest_pixel = target_data; - long y = 0; - for ( long j = 0; j < height; j++ ) + unsigned long y = 0; + for (int j = 0; j < height; j++) { const unsigned char* src_line = &source_data[(y>>16)*old_width*3]; const unsigned char* src_alpha_line = source_alpha ? &source_alpha[(y>>16)*old_width] : 0 ; - long x = 0; - for ( long i = 0; i < width; i++ ) + unsigned long x = 0; + for (int i = 0; i < width; i++) { const unsigned char* src_pixel = &src_line[(x>>16)*3]; const unsigned char* src_alpha_pixel = source_alpha ? &src_alpha_line[(x>>16)] : 0 ;