rpng: gate pass_size 4 GiB cap on 64-bit size_t

LibretroAdmin · LibretroAdmin · commit 53c32a263629 · 2026-04-21T03:28:30.000+02:00
GCC 4.0 on 32-bit PPC (and any ILP32 build) reports:

    rpng.c:1597: warning: comparison is always false due to
        limited range of data type

The pass_size cap checks (uint64_t)pass_size &gt;= 0x100000000ULL.
On ILP32 size_t is 32-bit (max 0xFFFFFFFF = 2^32 - 1), one less
than the 2^32 threshold.  Widening to uint64_t doesn't extend the
value range, so the comparison is statically unreachable and GCC
emits a dead-code warning.

The cap itself isn't wrong - on 64-bit, pass_size can genuinely
exceed 4 GiB (e.g. 30000x30000 16bpc-RGBA intermediate inflate
buffer needs 7 GiB) and we want to reject before malloc.  On 32-bit
pass_size literally cannot reach 4 GiB because size_t can't
represent it, so the check is redundant by construction.

Preprocessor-gate the pass_size clause on SIZE_MAX &gt; 0xFFFFFFFFULL:

    if ((uint64_t)width * height * sizeof(uint32_t) &gt;= 0x100000000ULL
    #if SIZE_MAX &gt; 0xFFFFFFFFULL
           || (uint64_t)pass_size &gt;= 0x100000000ULL
    #endif
        )
        return false;

The output-size clause stays unguarded - width * height * 4 can
overflow 32-bit even when each operand is 32-bit wide (100000 *
100000 * 4 is ~40 GiB), so that cap is meaningful on 32-bit too.

SIZE_MAX is already in scope via the existing &lt;stdint.h&gt; include.
No behavior change on 64-bit; 32-bit loses the warning.
diff --git a/libretro-common/formats/png/rpng.c b/libretro-common/formats/png/rpng.c
@@ -1587,14 +1587,24 @@ bool rpng_iterate_image(rpng_t *rpng)
           * constant unambiguously 64-bit on LLP64 (Windows) where
           * unsigned long is 32-bit.  rpng_pass_geom's arithmetic is
           * itself size_t-wide after the prior widening commit, so the
-          * pass_size returned here is trustworthy. */
+          * pass_size returned here is trustworthy.
+          *
+          * On ILP32 platforms (e.g. 32-bit PPC / i686), size_t is 32-bit
+          * and pass_size can never reach 2^32, so GCC warns that the
+          * pass_size cap is always false.  Preprocessor-gate it on
+          * 64-bit size_t; the output-size cap remains active on both
+          * 32-bit and 64-bit (width*height*4 can overflow 32-bit even
+          * when each factor is 32-bit). */
          {
             size_t pass_size = 0;
             rpng_pass_geom(&rpng->ihdr, rpng->ihdr.width,
                            rpng->ihdr.height, NULL, NULL, &pass_size);
             if ((uint64_t)rpng->ihdr.width * rpng->ihdr.height
                      * sizeof(uint32_t) >= 0x100000000ULL
-                  || (uint64_t)pass_size >= 0x100000000ULL)
+#if SIZE_MAX > 0xFFFFFFFFULL
+                  || (uint64_t)pass_size >= 0x100000000ULL
+#endif
+               )
                return false;
          }
 
