ref: b1e706bf7ea74263e9100506ef11f8060cc76616
parent: 8add7421dfc72c2fcdeb213c32a474e9af6ee4bb
author: Simon Tatham <anakin@pobox.com>
date: Tue Jun 7 16:44:14 EDT 2005
Integer overflow in game_size(). Oops. [originally from svn r5921]
--- a/rect.c
+++ b/rect.c
@@ -2307,9 +2307,12 @@
* Each window dimension equals the tile size times 1.5 more
* than the grid dimension (the border is 3/4 the width of the
* tiles).
+ *
+ * We must cast to unsigned before multiplying by two, because
+ * *x might be INT_MAX.
*/
- tsx = 2 * *x / (2 * params->w + 3);
- tsy = 2 * *y / (2 * params->h + 3);
+ tsx = 2 * (unsigned)*x / (2 * params->w + 3);
+ tsy = 2 * (unsigned)*y / (2 * params->h + 3);
ts = min(tsx, tsy);
if (expand)
ds->tilesize = ts;