From ae98f1237cd6a0d7c08094feec46885aa80388f9 Mon Sep 17 00:00:00 2001
From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Wed, 10 May 2023 15:33:23 -0400
Subject: [PATCH] Fix an integer overflow issue in the PWG media size name code
 (Issue #668)

---
 CHANGES.md       |  2 ++
 cups/pwg-media.c | 10 +++++++---
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index 2fcd20b49c..af3754ac8f 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -170,6 +170,8 @@ Changes in CUPS v2.4b1 (2021-10-27)
 - Fixed support for "job-hold-until" with the Restart-Job operation (Issue #250)
 - Fixed the default color/grayscale presets for IPP Everywhere PPDs (Issue #262)
 - Fixed support for the 'offline-report' state for all USB backends (Issue #264)
+- Fixed an integer overflow in the PWG media size name formatting code
+  (Issue #668)
 - Documentation fixes (Issue #92, Issue #163, Issue #177, Issue #184)
 - Localization updates (Issue #123, Issue #129, Issue #134, Issue #146,
   Issue #164)
diff --git a/cups/pwg-media.c b/cups/pwg-media.c
index d6ee5951b8..14a5ad3c2d 100644
--- a/cups/pwg-media.c
+++ b/cups/pwg-media.c
@@ -1108,9 +1108,13 @@ pwg_format_inches(char   *buf,		/* I - Buffer */
   * the nearest thousandth.
   */
 
-  thousandths = (val * 1000 + 1270) / 2540;
-  integer     = thousandths / 1000;
-  fraction    = thousandths % 1000;
+  integer  = val / 2540;
+  fraction = ((val % 2540) * 1000 + 1270) / 2540;
+  if (fraction >= 1000)
+  {
+    integer ++;
+    fraction -= 1000;
+  }
 
  /*
   * Format as a pair of integers (avoids locale stuff), avoiding trailing
-- 
2.47.2