[HarfBuzz] harfbuzz-ng: Branch 'master'

Mon Feb 28 10:14:12 PST 2011

src/hb-buffer.cc |   12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

New commits:
commit b5dd44e24669cd35affcd92788d39ff56cac94db
Author: Behdad Esfahbod <behdad at behdad.org>
Date:   Mon Feb 28 10:13:52 2011 -0800

    Fix possible overflow

diff --git a/src/hb-buffer.cc b/src/hb-buffer.cc
index 04ae8c9..c868091 100644
--- a/src/hb-buffer.cc
+++ b/src/hb-buffer.cc
@@ -73,8 +73,16 @@ _hb_buffer_enlarge (hb_buffer_t *buffer, unsigned int size)
   while (size > new_allocated)
     new_allocated += (new_allocated >> 1) + 8;
 
-  new_pos = (hb_glyph_position_t *) realloc (buffer->pos, new_allocated * sizeof (buffer->pos[0]));
-  new_info = (hb_glyph_info_t *) realloc (buffer->info, new_allocated * sizeof (buffer->info[0]));
+  ASSERT_STATIC (sizeof (buffer->info[0]) == sizeof (buffer->pos[0]));
+  bool overflows = new_allocated >= ((unsigned int) -1) / sizeof (buffer->info[0]);
+
+  if (unlikely (overflows)) {
+    new_pos = NULL;
+    new_info = NULL;
+  } else {
+    new_pos = (hb_glyph_position_t *) realloc (buffer->pos, new_allocated * sizeof (buffer->pos[0]));
+    new_info = (hb_glyph_info_t *) realloc (buffer->info, new_allocated * sizeof (buffer->info[0]));
+  }
 
   if (unlikely (!new_pos || !new_info))
     buffer->in_error = TRUE;

