From 734f762a0814f78e39b1a34f0ff49ea11f51faa2 Mon Sep 17 00:00:00 2001
From: James Zern <jzern@google.com>
Date: Wed, 3 Oct 2012 12:09:38 -0700
Subject: [PATCH] VP8LAllocateHistogramSet: fix overflow in size calculation

the multiplications done for total_size would be done with integers,
possibly overflowing, before being promoted to 64-bit for the addition

Change-Id: I32c3a6400fc2ef120c38e01a8693f4cb1727234d
---
 src/enc/histogram.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/enc/histogram.c b/src/enc/histogram.c
index ca838e06..fb4044bf 100644
--- a/src/enc/histogram.c
+++ b/src/enc/histogram.c
@@ -55,9 +55,9 @@ VP8LHistogramSet* VP8LAllocateHistogramSet(int size, int cache_bits) {
   int i;
   VP8LHistogramSet* set;
   VP8LHistogram* bulk;
-  const uint64_t total_size = (uint64_t)sizeof(*set)
-                            + size * sizeof(*set->histograms)
-                            + size * sizeof(**set->histograms);
+  const uint64_t total_size = sizeof(*set)
+                            + (uint64_t)size * sizeof(*set->histograms)
+                            + (uint64_t)size * sizeof(**set->histograms);
   uint8_t* memory = (uint8_t*)WebPSafeMalloc(total_size, sizeof(*memory));
   if (memory == NULL) return NULL;