fix overflow in cairo downscaled bitmap cache (tdf#137719)

In my system, sizeof(long long) == sizeof(long) == 8, so multiplying
by LONG_MAX overflows long long.

Change-Id: Ieb9613ef05916ef24a64db69f698036ecaf194e2
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/126433
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>

1 files changed, 5 insertions, 2 deletions

diff --git a/vcl/headless/svpgdi.cxx b/vcl/headless/svpgdi.cxx
index 3db871c29da4..56010ff7ca14 100644
--- a/vcl/headless/svpgdi.cxx
+++ b/vcl/headless/svpgdi.cxx
@@ -258,7 +258,7 @@ namespace
     {
     private:
         cairo_surface_t* pSurface;
-        std::unordered_map<unsigned long long, cairo_surface_t*> maDownscaled;
+        std::unordered_map<sal_uInt64, cairo_surface_t*> maDownscaled;
 
         SurfaceHelper(const SurfaceHelper&) = delete;
         SurfaceHelper& operator=(const SurfaceHelper&) = delete;
@@ -305,7 +305,10 @@ namespace
             nH  = (1 == nHFactor) ? nTargetHeight : nH * 2;
 
             // check if we have a downscaled version of required size
-            const unsigned long long key((nW * LONG_MAX) + nH);
+            // bail out if the multiplication for the key would overflow
+            if( nW >= SAL_MAX_UINT32 || nH >= SAL_MAX_UINT32 )
+                return pSurface;
+            const sal_uInt64 key((nW * static_cast<sal_uInt64>(SAL_MAX_UINT32)) + nH);
             auto isHit(maDownscaled.find(key));
 
             if(isHit != maDownscaled.end())