Integer overflow in game_size(). Oops.

git-svn-id: svn://svn.tartarus.org/sgt/puzzles@5921 cda61777-01e9-0310-a592-d414129be87e

diff --git a/rect.c b/rect.c
index f0e5e79..9a8846c 100644 (file)
--- a/rect.c
+++ b/rect.c
@@ -2307,9 +2307,12 @@ static void game_size(game_params *params, game_drawstate *ds,
      * Each window dimension equals the tile size times 1.5 more
      * than the grid dimension (the border is 3/4 the width of the
      * tiles).
+     * 
+     * We must cast to unsigned before multiplying by two, because
+     * *x might be INT_MAX.
      */
-    tsx = 2 * *x / (2 * params->w + 3);
-    tsy = 2 * *y / (2 * params->h + 3);
+    tsx = 2 * (unsigned)*x / (2 * params->w + 3);
+    tsy = 2 * (unsigned)*y / (2 * params->h + 3);
     ts = min(tsx, tsy);
     if (expand)
         ds->tilesize = ts;