Potential fix for code scanning alert no. 3235: Multiplication result converted to larger type

[bniladridas]

Potential fix for https://github.com/bniladridas/hybrid-compute/security/code-scanning/3235

To fix this safely without changing behavior for valid inputs, ensure allocation-size multiplications are performed in a wider unsigned type (size_t) before multiplication, and reject impossible sizes when they exceed INT_MAX where the code still stores byte counts in int (out_size, delays_size).

Best fix in this region:

• In include/stb_image.h, inside the shown GIF loading block (around lines 7729–7759), compute:
  • size_t alloc_size = (size_t)layers * (size_t)stride;
  • size_t delays_alloc = (size_t)layers * sizeof(int);
• Guard with if (alloc_size > INT_MAX) / if (delays_alloc > INT_MAX) and return existing OOM/error path.
• Pass these size_t values to allocation/reallocation macros.
• Cast back to int only after bounds check when assigning to out_size / delays_size.

No new external dependencies are needed.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[changeset-bot]

⚠️ No Changeset found

Latest commit: d319c3f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[github-actions]

☑️ I checked the pre-commit hooks and there was nothing to fix at commit d319c3f.

[bniladridas]

Fixed in #140