Fix overflow when resizing path-to-string buffer.

QuLogic · QuLogic · commit 40862c644cf1 · 2018-03-29T23:59:08.000-04:00
The int version of the buffer size was not updated when the buffer was resized. It's there to prevent a signed/unsigned comparison warning, but it's simpler just to cast the other side of the comparison. There's no problem with the signed-to-unsigned cast since we already know that the result is positive due to the previous check. Fixes #10889.
diff --git a/src/_path.h b/src/_path.h
@@ -1047,15 +1047,13 @@ void quad2cubic(double x0, double y0,
 char *__append_to_string(char *p, char **buffer, size_t *buffersize,
                          const char *content)
 {
-    int buffersize_int = (int)*buffersize;
-
     for (const char *i = content; *i; ++i) {
         if (p < *buffer) {
             /* This is just an internal error */
             return NULL;
         }
-        if (p - *buffer >= buffersize_int) {
-            int diff = p - *buffer;
+        if ((size_t)(p - *buffer) >= *buffersize) {
+            ptrdiff_t diff = p - *buffer;
             *buffersize *= 2;
             *buffer = (char *)realloc(*buffer, *buffersize);
             if (*buffer == NULL) {
