summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBehdad Esfahbod <behdad@behdad.org>2011-02-28 10:13:52 -0800
committerBehdad Esfahbod <behdad@behdad.org>2011-02-28 10:13:52 -0800
commitb5dd44e24669cd35affcd92788d39ff56cac94db (patch)
treef913e056432025c6d13f652cfa95dee41e3f72ef
parenta4b781e93a0bee0549611e129b3564d9804d9090 (diff)
Fix possible overflow
-rw-r--r--src/hb-buffer.cc12
1 files changed, 10 insertions, 2 deletions
diff --git a/src/hb-buffer.cc b/src/hb-buffer.cc
index 04ae8c92..c868091b 100644
--- a/src/hb-buffer.cc
+++ b/src/hb-buffer.cc
@@ -73,8 +73,16 @@ _hb_buffer_enlarge (hb_buffer_t *buffer, unsigned int size)
while (size > new_allocated)
new_allocated += (new_allocated >> 1) + 8;
- new_pos = (hb_glyph_position_t *) realloc (buffer->pos, new_allocated * sizeof (buffer->pos[0]));
- new_info = (hb_glyph_info_t *) realloc (buffer->info, new_allocated * sizeof (buffer->info[0]));
+ ASSERT_STATIC (sizeof (buffer->info[0]) == sizeof (buffer->pos[0]));
+ bool overflows = new_allocated >= ((unsigned int) -1) / sizeof (buffer->info[0]);
+
+ if (unlikely (overflows)) {
+ new_pos = NULL;
+ new_info = NULL;
+ } else {
+ new_pos = (hb_glyph_position_t *) realloc (buffer->pos, new_allocated * sizeof (buffer->pos[0]));
+ new_info = (hb_glyph_info_t *) realloc (buffer->info, new_allocated * sizeof (buffer->info[0]));
+ }
if (unlikely (!new_pos || !new_info))
buffer->in_error = TRUE;