[Bug] Integer overflow on the return value after _caca_alloc2d() call

[tin-z]

Describe the bug
If the project is compiled for 64-bit system, and the configure flag --disable-imlib2 was given. Then the pointer returned from _caca_alloc2d() call in load_image() at common-image.c is truncated to 32-bit with sign extension, later causing a SEGV writing to an invalid memory area.

libcaca/src/common-image.c

Lines 163 to 173 in f42aa68

	/* Allocate the pixel buffer */
	im->pixels = _caca_alloc2d(im->w, im->h, depth);
	if (!im->pixels)
	{
	caca_file_close(f);
	free(im);
	return NULL;
	}
	memset(im->pixels, 0, im->w * im->h * depth);

System info：

• Ubuntu 20.04.3 LTS, gcc 10.3.0-1ubuntu1~20.04
• latest commit f42aa68

Steps to reproduce the behavior

• compile

export CONF_FLAGS="--disable-imlib2 --disable-shared"
export CFLAGS="-g -fPIE"
export CXFLAGS=${CFLAGS}
export CC=gcc-10
export CXX=g++-10
./bootstrap
./configure ${CONF_FLAGS}
make clean
make

• run command: ./src/img2txt POC

Output

Segmentation fault (core dumped)

• GDB screenshot

(gdb) b load_image
Breakpoint 1 at 0x7180: file common-image.c, line 35.
(gdb) r
Starting program: ./img2txt POC

Breakpoint 1, load_image (name=0x7fffffffe771 "POC")
    at common-image.c:35
35      {

(gdb) b _caca_alloc2d
Breakpoint 2 at 0x55555555bff0: file caca.c, line 288.
(gdb) c
Continuing.

Breakpoint 2, _caca_alloc2d (width=1, height=59968, elem_size=32) at caca.c:288
288     {
(gdb) finish
Run till exit from #0  _caca_alloc2d (width=1, height=59968, elem_size=32) at caca.c:288
0x000055555555b563 in load_image (name=<optimized out>) at common-image.c:164
164         im->pixels = _caca_alloc2d(im->w, im->h, depth);
Value returned is $1 = (void *) 0x7ffff6ef6010
(gdb) x/2i $rip
=> 0x55555555b563 <load_image+995>:     movslq %eax,%rdi  <------------ [0] here wrong conversion
   0x55555555b566 <load_image+998>:     mov    %rdi,(%r14)
(gdb) p/x $rax
$2 = 0x7ffff6ef6010
(gdb) p/x $rdi
$3 = 0x0
(gdb) si
0x000055555555b566      164         im->pixels = _caca_alloc2d(im->w, im->h, depth);
(gdb) p/x $rax
$4 = 0x7ffff6ef6010
(gdb) p/x $rdi                                            <------------ [1] 
$5 = 0xfffffffff6ef6010



(gdb) b memset
Breakpoint 3 at 0x55555555b57a: memset. (2 locations)
(gdb) c
Continuing.

Breakpoint 3, 0x000055555555b57a in memset (__len=<optimized out>, __ch=<optimized out>, __dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:71
71        return __builtin___memset_chk (__dest, __ch, __len, __bos0 (__dest));
(gdb) p/x $rdi
$6 = 0xfffffffff6ef6010
(gdb) x/x $rdi
0xfffffffff6ef6010:     Cannot access memory at address 0xfffffffff6ef6010
(gdb) c
Continuing.

Breakpoint 3, __memset_avx2_unaligned_erms () at ../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S:167
167     ../sysdeps/x86_64/multiarch/memset-vec-unaligned-erms.S: No such file or directory.
(gdb)

POC