From 8f7d039801f4dd0013fa8735aec82af44389ce8a Mon Sep 17 00:00:00 2001
From: Ayman El Didi <ayman@eldidi.org>
Date: Thu, 17 Feb 2022 23:22:43 -0700
Subject: [PATCH 1/3] fixed some comparisons between signed and unsigned
 integers

In some places, there were int variables being compared to unsigned
ints when they would never take a negative value, exposing some edge
cases that didn't need to be there.
---
 src/cairo-array.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/cairo-array.c b/src/cairo-array.c
index 60f45db4e..c93714f38 100644
--- a/src/cairo-array.c
+++ b/src/cairo-array.c
@@ -412,7 +412,7 @@ void *
 _cairo_user_data_array_get_data (cairo_user_data_array_t     *array,
 				 const cairo_user_data_key_t *key)
 {
-    int i, num_slots;
+    unsigned int i, num_slots;
     cairo_user_data_slot_t *slots;
 
     /* We allow this to support degenerate objects such as cairo_surface_nil. */
@@ -452,7 +452,7 @@ _cairo_user_data_array_set_data (cairo_user_data_array_t     *array,
 				 cairo_destroy_func_t	      destroy)
 {
     cairo_status_t status;
-    int i, num_slots;
+    unsigned int i, num_slots;
     cairo_user_data_slot_t *slots, *slot, new_slot;
 
     if (user_data) {
@@ -523,7 +523,7 @@ _cairo_user_data_array_foreach (cairo_user_data_array_t     *array,
 				void *closure)
 {
     cairo_user_data_slot_t *slots;
-    int i, num_slots;
+    unsigned int i, num_slots;
 
     num_slots = array->num_elements;
     slots = _cairo_array_index (array, 0);

From 915dd7942264c76c78e15989476b80ba70f70f64 Mon Sep 17 00:00:00 2001
From: Ayman El Didi <ayman@eldidi.org>
Date: Sat, 19 Feb 2022 11:59:41 -0700
Subject: [PATCH 2/3] fixed some multiplications prone to overflowing their
 type

In a couple of instances, code is present where two numbers are being
multiplied in a type like unsigned int, but immediately being casted
to a wider type like size_t.

This means, although the result can be any size_t value, the
multiplication can potentially overflow before it's used because
unsigned int has a smaller range of values.

In another more niche case, I also cast to size_t before multiplying
a signed integer, since the result is immediately used as an argument
to memcpy, which would give memory corruption if the value was negative
anyway.
---
 src/cairo-array.c   |  8 ++++----
 src/cairo-ft-font.c | 10 +++++-----
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/src/cairo-array.c b/src/cairo-array.c
index c93714f38..db7b6de7a 100644
--- a/src/cairo-array.c
+++ b/src/cairo-array.c
@@ -181,7 +181,7 @@ _cairo_array_index (cairo_array_t *array, unsigned int index)
 
     assert (index < array->num_elements);
 
-    return array->elements + index * array->element_size;
+    return array->elements + (size_t)index * array->element_size;
 }
 
 /**
@@ -225,7 +225,7 @@ _cairo_array_index_const (const cairo_array_t *array, unsigned int index)
 
     assert (index < array->num_elements);
 
-    return array->elements + index * array->element_size;
+    return array->elements + (size_t)index * array->element_size;
 }
 
 /**
@@ -289,7 +289,7 @@ _cairo_array_append_multiple (cairo_array_t	*array,
     if (unlikely (status))
 	return status;
 
-    memcpy (dest, elements, num_elements * array->element_size);
+    memcpy (dest, elements, (size_t)num_elements * array->element_size);
 
     return CAIRO_STATUS_SUCCESS;
 }
@@ -320,7 +320,7 @@ _cairo_array_allocate (cairo_array_t	 *array,
 
     assert (array->num_elements + num_elements <= array->size);
 
-    *elements = array->elements + array->num_elements * array->element_size;
+    *elements = array->elements + (size_t)array->num_elements * array->element_size;
 
     array->num_elements += num_elements;
 
diff --git a/src/cairo-ft-font.c b/src/cairo-ft-font.c
index 683ee916d..60b98fb41 100644
--- a/src/cairo-ft-font.c
+++ b/src/cairo-ft-font.c
@@ -1194,7 +1194,7 @@ _fill_xrender_bitmap(FT_Bitmap      *target,
 #ifdef FT_LOAD_COLOR
     case FT_PIXEL_MODE_BGRA:
 	for (h = height; h > 0; h--, srcLine += src_pitch, dstLine += pitch)
-	    memcpy (dstLine, srcLine, width * 4);
+	    memcpy (dstLine, srcLine, (size_t)width * 4);
 	break;
 #endif
 
@@ -1241,7 +1241,7 @@ _get_bitmap_surface (FT_Bitmap		     *bitmap,
 		return _cairo_error (CAIRO_STATUS_NO_MEMORY);
 
 	    if (stride == bitmap->pitch) {
-		memcpy (data, bitmap->buffer, stride * height);
+		memcpy (data, bitmap->buffer, (size_t)stride * height);
 	    } else {
 		int i;
 		unsigned char *source, *dest;
@@ -1294,7 +1294,7 @@ _get_bitmap_surface (FT_Bitmap		     *bitmap,
 		if (!data)
 		    return _cairo_error (CAIRO_STATUS_NO_MEMORY);
 
-		memcpy (data, bitmap->buffer, stride * height);
+		memcpy (data, bitmap->buffer, (size_t)stride * height);
 	    }
 
 	    format = CAIRO_FORMAT_A8;
@@ -1315,7 +1315,7 @@ _get_bitmap_surface (FT_Bitmap		     *bitmap,
 	    if (!data)
 		return _cairo_error (CAIRO_STATUS_NO_MEMORY);
 
-	    memcpy (data, bitmap->buffer, stride * height);
+	    memcpy (data, bitmap->buffer, (size_t)stride * height);
 	}
 
 	if (!_cairo_is_little_endian ())
@@ -1371,7 +1371,7 @@ _get_bitmap_surface (FT_Bitmap		     *bitmap,
 	      }
 	    }
 
-	    memcpy (data, bitmap->buffer, stride * height);
+	    memcpy (data, bitmap->buffer, (size_t)stride * height);
 	    break;
 	}
 	/* fall through */

From f83e0ed4e665a1eb317b321964fae4ea934bdf58 Mon Sep 17 00:00:00 2001
From: Ayman El Didi <ayman@eldidi.org>
Date: Fri, 18 Feb 2022 00:18:22 -0700
Subject: [PATCH 3/3] removed redundant casts in cairoint.h

In a couple of instances, ints are being casted to int before use.
---
 src/cairoint.h | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/cairoint.h b/src/cairoint.h
index 8299bf92d..4ffcba033 100644
--- a/src/cairoint.h
+++ b/src/cairoint.h
@@ -351,10 +351,10 @@ static inline cairo_bool_t
 _cairo_rectangle_intersects (const cairo_rectangle_int_t *dst,
 			     const cairo_rectangle_int_t *src)
 {
-    return !(src->x >= dst->x + (int) dst->width ||
-	     src->x + (int) src->width <= dst->x ||
-	     src->y >= dst->y + (int) dst->height ||
-	     src->y + (int) src->height <= dst->y);
+    return !(src->x >= dst->x + dst->width  ||
+	     src->x + src->width <= dst->x  ||
+	     src->y >= dst->y + dst->height ||
+	     src->y + src->height <= dst->y);
 }
 
 static inline cairo_bool_t
@@ -362,9 +362,9 @@ _cairo_rectangle_contains_rectangle (const cairo_rectangle_int_t *a,
 				     const cairo_rectangle_int_t *b)
 {
     return (a->x <= b->x &&
-	    a->x + (int) a->width >= b->x + (int) b->width &&
+	    a->x + a->width >= b->x + b->width &&
 	    a->y <= b->y &&
-	    a->y + (int) a->height >= b->y + (int) b->height);
+	    a->y + a->height >= b->y + b->height);
 }
 
 cairo_private void