From a16e4652e3c80504790730b66145b7aef14b3648 Mon Sep 17 00:00:00 2001
From: Sergey Sharybin <sergey.vfx@gmail.com>
Date: Fri, 6 Mar 2020 15:33:47 +0100
Subject: Fix integer overflow in BLI_mempool_as_arrayN()

`(size_t)(int * int)` will actually cast overflown integer to size_t,
which isn't what was intended here. Correct thing would be to cast
in the following manner `(size_t)int * int`.

In this particular case can as well use function which is designed to
allocate an array of memory without overflow.
---
 source/blender/blenlib/intern/BLI_mempool.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'source/blender')

diff --git a/source/blender/blenlib/intern/BLI_mempool.c b/source/blender/blenlib/intern/BLI_mempool.c
index 2b931507633..4182aab2190 100644
--- a/source/blender/blenlib/intern/BLI_mempool.c
+++ b/source/blender/blenlib/intern/BLI_mempool.c
@@ -526,7 +526,7 @@ void BLI_mempool_as_array(BLI_mempool *pool, void *data)
  */
 void *BLI_mempool_as_arrayN(BLI_mempool *pool, const char *allocstr)
 {
-  char *data = MEM_mallocN((size_t)(pool->totused * pool->esize), allocstr);
+  char *data = MEM_malloc_arrayN(pool->totused, pool->esize, allocstr);
   BLI_mempool_as_array(pool, data);
   return data;
 }
-- 
cgit v1.2.3