From 4932973dce18e75c54a729b2c88119ae66f05c40 Mon Sep 17 00:00:00 2001
From: Timothy Nikkel <tnikkel@gmail.com>
Date: Fri, 26 Feb 2016 17:13:59 -0600
Subject: [PATCH] Bug 1251742. Avoid overflow in computing area of surface
 sizes in SurfaceCache. r=dholbert

http://hg.mozilla.org/mozilla-central/rev/9727cdebb2ee (bug 1228314) fixed the first instance of this, but missed the next two for some reason.
---
 image/SurfaceCache.cpp | 13 ++++++++-----
 image/SurfaceCache.h   |  2 +-
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/image/SurfaceCache.cpp b/image/SurfaceCache.cpp
index fc972b0f1dc..44ed92c6b19 100644
--- a/image/SurfaceCache.cpp
+++ b/image/SurfaceCache.cpp
@@ -227,6 +227,11 @@ private:
   const SurfaceKey   mSurfaceKey;
 };
 
+static int64_t
+AreaOfIntSize(const IntSize& aSize) {
+  return static_cast<int64_t>(aSize.width) * static_cast<int64_t>(aSize.height);
+}
+
 /**
  * An ImageSurfaceCache is a per-image surface cache. For correctness we must be
  * able to remove all surfaces associated with an image when the image is
@@ -327,11 +332,9 @@ public:
       // Compare sizes. We use an area-based heuristic here instead of computing a
       // truly optimal answer, since it seems very unlikely to make a difference
       // for realistic sizes.
-      int64_t idealArea = static_cast<int64_t>(idealKey.Size().width) *
-        static_cast<int64_t>(idealKey.Size().height);
-      int64_t surfaceArea = aSurfaceKey.Size().width * aSurfaceKey.Size().height;
-      int64_t bestMatchArea =
-        bestMatchKey.Size().width * bestMatchKey.Size().height;
+      int64_t idealArea = AreaOfIntSize(idealKey.Size());
+      int64_t surfaceArea = AreaOfIntSize(aSurfaceKey.Size());
+      int64_t bestMatchArea = AreaOfIntSize(bestMatchKey.Size());
 
       // If the best match is smaller than the ideal size, prefer bigger sizes.
       if (bestMatchArea < idealArea) {
diff --git a/image/SurfaceCache.h b/image/SurfaceCache.h
index d6fafa48b09..5c5d2db7c1b 100644
--- a/image/SurfaceCache.h
+++ b/image/SurfaceCache.h
@@ -64,7 +64,7 @@ public:
     return hash;
   }
 
-  IntSize Size() const { return mSize; }
+  const IntSize& Size() const { return mSize; }
   Maybe<SVGImageContext> SVGContext() const { return mSVGContext; }
   float AnimationTime() const { return mAnimationTime; }
   SurfaceFlags Flags() const { return mFlags; }