From: Peter Hull <peterhull90@gmail.com>
Date: Sat, 12 Jun 2021 10:19:59 +0100
Applied-Upstream: https://github.com/liballeg/allegro5/commit/0294e28e6135292eab4b2916a7d2223b1bb6843e
Subject: Reject creating bitmaps with negative width or height

Also reject absurd sizes. Previously bitmaps with a height of
INT_MIN could slip through
the checks, by a combination of lower bounds and arithmetic
overflows and be created by the Open GL driver.  However this bitmap
would cause a crash when al_lock_bitmap was called.
---
 src/bitmap.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/src/bitmap.c b/src/bitmap.c
index 77c76c2..b553c9e 100644
--- a/src/bitmap.c
+++ b/src/bitmap.c
@@ -100,14 +100,13 @@ ALLEGRO_BITMAP *_al_create_bitmap_params(ALLEGRO_DISPLAY *current_display,
    ALLEGRO_SYSTEM *system = al_get_system_driver();
    ALLEGRO_BITMAP *bitmap;
    ALLEGRO_BITMAP **back;
-   int64_t mul;
    bool result;
-
-   /* Reject bitmaps where a calculation pixel_size*w*h would overflow
+   /* Reject bitmaps with negative dimensions.
+    * Also reject bitmaps where a calculation pixel_size*w*h would overflow
     * int.  Supporting such bitmaps would require a lot more work.
+    * Overflow calc based on https://stackoverflow.com/a/1514309/231929
     */
-   mul = 4 * (int64_t) w * (int64_t) h;
-   if (mul > (int64_t) INT_MAX) {
+   if (w < 0 || h < 0 || (int64_t) w > (INT_MAX/4) / (int64_t) h) {
       ALLEGRO_WARN("Rejecting %dx%d bitmap\n", w, h);
       return NULL;
    }
