From a6ae04d455b14a1f6a363a094e5ba58489fdf409 Mon Sep 17 00:00:00 2001
From: James Zern <jzern@google.com>
Date: Wed, 3 Oct 2012 12:09:38 -0700
Subject: [PATCH] VP8LAllocateHistogramSet: fix overflow in size calculation

the multiplications done for total_size would be done with integers,
possibly overflowing, before being promoted to 64-bit for the addition

Change-Id: Id5c127c8a497ce5de89a276c17f36b59eeb67c21
---
 src/enc/histogram.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/enc/histogram.c b/src/enc/histogram.c
index ca838e06..fb4044bf 100644
--- a/src/enc/histogram.c
+++ b/src/enc/histogram.c
@@ -55,9 +55,9 @@ VP8LHistogramSet* VP8LAllocateHistogramSet(int size, int cache_bits) {
   int i;
   VP8LHistogramSet* set;
   VP8LHistogram* bulk;
-  const uint64_t total_size = (uint64_t)sizeof(*set)
-                            + size * sizeof(*set->histograms)
-                            + size * sizeof(**set->histograms);
+  const uint64_t total_size = sizeof(*set)
+                            + (uint64_t)size * sizeof(*set->histograms)
+                            + (uint64_t)size * sizeof(**set->histograms);
   uint8_t* memory = (uint8_t*)WebPSafeMalloc(total_size, sizeof(*memory));
   if (memory == NULL) return NULL;