From 40862c644cf1a8cd78e3c93aa78021a3caca7aff Mon Sep 17 00:00:00 2001 From: Elliott Sales de Andrade Date: Thu, 29 Mar 2018 23:59:08 -0400 Subject: [PATCH] Fix overflow when resizing path-to-string buffer. The int version of the buffer size was not updated when the buffer was resized. It's there to prevent a signed/unsigned comparison warning, but it's simpler just to cast the other side of the comparison. There's no problem with the signed-to-unsigned cast since we already know that the result is positive due to the previous check. Fixes #10889. --- src/_path.h | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/_path.h b/src/_path.h index 1663cf473901..81ba393043d8 100644 --- a/src/_path.h +++ b/src/_path.h @@ -1047,15 +1047,13 @@ void quad2cubic(double x0, double y0, char *__append_to_string(char *p, char **buffer, size_t *buffersize, const char *content) { - int buffersize_int = (int)*buffersize; - for (const char *i = content; *i; ++i) { if (p < *buffer) { /* This is just an internal error */ return NULL; } - if (p - *buffer >= buffersize_int) { - int diff = p - *buffer; + if ((size_t)(p - *buffer) >= *buffersize) { + ptrdiff_t diff = p - *buffer; *buffersize *= 2; *buffer = (char *)realloc(*buffer, *buffersize); if (*buffer == NULL) {