From 29d639546da9647a48d822ae128090e4f1047dea Mon Sep 17 00:00:00 2001
From: Randy <randy408@protonmail.com>
Date: Wed, 29 Apr 2020 14:19:01 -0400
Subject: [PATCH] fix integer arithmetic in stbi__zexpand()

---
 stb_image.h | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/stb_image.h b/stb_image.h
index 7fc5992..65f971b 100644
--- a/stb_image.h
+++ b/stb_image.h
@@ -4130,13 +4130,16 @@ stbi_inline static int stbi__zhuffman_decode(stbi__zbuf *a, stbi__zhuffman *z)
 static int stbi__zexpand(stbi__zbuf *z, char *zout, int n)  // need to make room for n bytes
 {
    char *q;
-   int cur, limit, old_limit;
+   unsigned int cur, limit, old_limit;
    z->zout = zout;
    if (!z->z_expandable) return stbi__err("output buffer limit","Corrupt PNG");
-   cur   = (int) (z->zout     - z->zout_start);
-   limit = old_limit = (int) (z->zout_end - z->zout_start);
-   while (cur + n > limit)
+   cur   = (unsigned int) (z->zout - z->zout_start);
+   limit = old_limit = (unsigned) (z->zout_end - z->zout_start);
+   if(UINT_MAX - cur < n) return stbi__err("outofmem", "Out of memory");
+   while (cur + n > limit) {
+      if(limit > UINT_MAX / 2) return stbi__err("outofmem", "Out of memory");
       limit *= 2;
+   }
    q = (char *) STBI_REALLOC_SIZED(z->zout_start, old_limit, limit);
    STBI_NOTUSED(old_limit);
    if (q == NULL) return stbi__err("outofmem", "Out of memory");