The Mozilla Scalable Vector Graphics (SVG) viewer contains a heap buffer overflow vulnerability resulting from an unsigned integer wrap during the multiplication of the {{signed int}} value {{pen->num_vertices}} and the {{size_t}} value {{sizeof(cairo_pen_vertex_t)}} \[[VU#551436|AA. C References#VU551436]\]. For an ILP32 architecture, the The {{signed int}} operand is converted to {{unsigned intsize_t}} prior to the multiplication operation (see [INT02-C. Understand integer conversion rules|INT02-C. Understand integer conversion rules]), so that the multiplication takes place between two {{size_t}} integers, which are unsigned. | 