From bce6d5b421151c098480873d42945eb9244b3ff9 Mon Sep 17 00:00:00 2001
From: Sam Lantinga <slouken@libsdl.org>
Date: Sat, 20 Jul 2024 18:53:31 -0700
Subject: [PATCH] Actually, we still need size overflow checking in
 SDL_BlitSurfaceUncheckedScaled()

---
 src/video/SDL_surface.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/video/SDL_surface.c b/src/video/SDL_surface.c
index 250f3d1dcc..e2626ac11f 100644
--- a/src/video/SDL_surface.c
+++ b/src/video/SDL_surface.c
@@ -997,11 +997,6 @@ int SDL_BlitSurfaceScaled(SDL_Surface *src, const SDL_Rect *srcrect,
         return SDL_BlitSurface(src, srcrect, dst, dstrect);
     }
 
-    if (src_w > SDL_MAX_UINT16 || src_h > SDL_MAX_UINT16 ||
-        dst_w > SDL_MAX_UINT16 || dst_h > SDL_MAX_UINT16) {
-        return SDL_SetError("Size too large for scaling");
-    }
-
     scaling_w = (double)dst_w / src_w;
     scaling_h = (double)dst_h / src_h;
 
@@ -1130,6 +1125,11 @@ int SDL_BlitSurfaceUncheckedScaled(SDL_Surface *src, const SDL_Rect *srcrect,
                                               SDL_COPY_BLEND | SDL_COPY_BLEND_PREMULTIPLIED | SDL_COPY_ADD | SDL_COPY_ADD_PREMULTIPLIED | SDL_COPY_MOD | SDL_COPY_MUL |
                                               SDL_COPY_COLORKEY);
 
+    if (srcrect->w > SDL_MAX_UINT16 || srcrect->h > SDL_MAX_UINT16 ||
+        dstrect->w > SDL_MAX_UINT16 || dstrect->h > SDL_MAX_UINT16) {
+        return SDL_SetError("Size too large for scaling");
+    }
+
     if (!(src->internal->map.info.flags & SDL_COPY_NEAREST)) {
         src->internal->map.info.flags |= SDL_COPY_NEAREST;
         SDL_InvalidateMap(&src->internal->map);