From 8ff61c90362f540894aa9a3ed7d7b113abfa78d6 Mon Sep 17 00:00:00 2001
From: vlefebvre <valentin.lefebvre@suse.com>
Date: Wed, 13 May 2026 11:39:03 +0200
Subject: [PATCH] Fix 32-bit overflow in CVE-2026-42046 patch

This patch adds an additional overflow check after computing new_size
to ensure the multiplication by sizeof(uint32_t) will not overflow:

if (new_size > 0 && (size_t)new_size > SIZE_MAX / sizeof(uint32_t))
This check is added in:
- caca_resize() in caca/canvas.c
- caca_create_frame() in caca/frame.c

Fixes #86
Fixes #89
Fixes CVE-2026-42046
---
 caca/canvas.c | 7 +++++++
 caca/frame.c  | 9 +++++++++
 2 files changed, 16 insertions(+)

diff --git a/caca/canvas.c b/caca/canvas.c
index 62b72b7..418ca54 100644
--- a/caca/canvas.c
+++ b/caca/canvas.c
@@ -375,6 +375,13 @@ int caca_resize(caca_canvas_t *cv, int width, int height)
         return -1;
     }
     int new_size = width * height;
+    /* Check for overflow when multiplying by sizeof(uint32_t) on 32-bit
+     * systems */
+    if (new_size > 0 && (size_t)new_size > SIZE_MAX / sizeof(uint32_t))
+    {
+        seterrno(EOVERFLOW);
+        return -1;
+    }
 
     old_width = cv->width;
     old_height = cv->height;
diff --git a/caca/frame.c b/caca/frame.c
index c960092..9f88392 100644
--- a/caca/frame.c
+++ b/caca/frame.c
@@ -147,6 +147,15 @@ int caca_create_frame(caca_canvas_t *cv, int id)
     int size = cv->width * cv->height;
     int f;
 
+
+    /* Check for overflow when multiplying by sizeof(uint32_t) on 32-bit
+     * systems */
+    if (size > 0 && (size_t)size > SIZE_MAX / sizeof(uint32_t))
+    {
+        seterrno(EOVERFLOW);
+        return -1;
+    }
+
     if(id < 0)
         id = 0;
     else if(id > cv->framecount)