zakarya/puzzles
1
0
Fork 0
mirror of git://git.tartarus.org/simon/puzzles.git synced 2025-04-21 16:05:44 -07:00
Code Issues Packages Projects Releases Wiki Activity

Integer overflow in game_size(). Oops.

Browse Source 
[originally from svn r5921]
This commit is contained in:
Simon Tatham
2005-06-07 20:44:14 +00:00
parent 8add7421df
commit b1e706bf7e
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
rect.c
View File

@ -2307,9 +2307,12 @@ static void game_size(game_params *params, game_drawstate *ds,
* Each window dimension equals the tile size times 1.5 more * Each window dimension equals the tile size times 1.5 more
* than the grid dimension (the border is 3/4 the width of the * than the grid dimension (the border is 3/4 the width of the
* tiles). * tiles).
*
* We must cast to unsigned before multiplying by two, because
* *x might be INT_MAX.
*/ */
tsx = 2 * *x / (2 * params->w + 3); tsx = 2 * (unsigned)*x / (2 * params->w + 3);
tsy = 2 * *y / (2 * params->h + 3); tsy = 2 * (unsigned)*y / (2 * params->h + 3);
ts = min(tsx, tsy); ts = min(tsx, tsy);
if (expand) if (expand)
ds->tilesize = ts; ds->tilesize = ts;