From 21ede867df28d1214ca677a24ac65ab0b7e95f42 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Thu, 25 Oct 2018 13:19:34 -0700
Subject: [PATCH] Fix possible overflow in bsearch impls

From bungeman.

Fixes https://github.com/harfbuzz/harfbuzz/pull/1314
---
 src/hb-dsalgs.hh               | 2 +-
 src/hb-open-type.hh            | 4 ++--
 src/hb-ot-cmap-table.hh        | 2 +-
 src/hb-ot-layout-gpos-table.hh | 2 +-
 src/hb-vector.hh               | 2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/hb-dsalgs.hh b/src/hb-dsalgs.hh
index 7e846161d..d22e8809e 100644
--- a/src/hb-dsalgs.hh
+++ b/src/hb-dsalgs.hh
@@ -321,7 +321,7 @@ hb_bsearch_r (const void *key, const void *base,
   int min = 0, max = (int) nmemb - 1;
   while (min <= max)
   {
-    int mid = (min + max) / 2;
+    int mid = ((unsigned int) min + (unsigned int) max) / 2;
     const void *p = (const void *) (((const char *) base) + (mid * size));
     int c = compar (key, p, arg);
     if (c < 0)
diff --git a/src/hb-open-type.hh b/src/hb-open-type.hh
index 2b1b432ba..8b7ea0939 100644
--- a/src/hb-open-type.hh
+++ b/src/hb-open-type.hh
@@ -702,7 +702,7 @@ struct SortedArrayOf : ArrayOf<Type, LenType>
     int min = 0, max = (int) this->len - 1;
     while (min <= max)
     {
-      int mid = (min + max) / 2;
+      int mid = ((unsigned int) min + (unsigned int) max) / 2;
       int c = arr[mid].cmp (x);
       if (c < 0)
         max = mid - 1;
@@ -825,7 +825,7 @@ struct VarSizedBinSearchArrayOf
     int min = 0, max = (int) header.nUnits - 1;
     while (min <= max)
     {
-      int mid = (min + max) / 2;
+      int mid = ((unsigned int) min + (unsigned int) max) / 2;
       const Type *p = (const Type *) (((const char *) &bytesZ) + (mid * size));
       int c = p->cmp (key);
       if (c < 0)
diff --git a/src/hb-ot-cmap-table.hh b/src/hb-ot-cmap-table.hh
index e5793c387..9978d1b02 100644
--- a/src/hb-ot-cmap-table.hh
+++ b/src/hb-ot-cmap-table.hh
@@ -249,7 +249,7 @@ struct CmapSubtableFormat4
       unsigned int i;
       while (min <= max)
       {
-	int mid = (min + max) / 2;
+        int mid = ((unsigned int) min + (unsigned int) max) / 2;
 	if (codepoint < startCount[mid])
 	  max = mid - 1;
 	else if (codepoint > endCount[mid])
diff --git a/src/hb-ot-layout-gpos-table.hh b/src/hb-ot-layout-gpos-table.hh
index dad6c4ea9..dd4e62792 100644
--- a/src/hb-ot-layout-gpos-table.hh
+++ b/src/hb-ot-layout-gpos-table.hh
@@ -663,7 +663,7 @@ struct PairSet
     int min = 0, max = (int) count - 1;
     while (min <= max)
     {
-      int mid = (min + max) / 2;
+      int mid = ((unsigned int) min + (unsigned int) max) / 2;
       const PairValueRecord *record = &StructAtOffset<PairValueRecord> (&firstPairValueRecord, record_size * mid);
       hb_codepoint_t mid_x = record->secondGlyph;
       if (x < mid_x)
diff --git a/src/hb-vector.hh b/src/hb-vector.hh
index 766e5fb8e..eed4507ff 100644
--- a/src/hb-vector.hh
+++ b/src/hb-vector.hh
@@ -232,7 +232,7 @@ struct hb_vector_t
     const Type *array = this->arrayZ();
     while (min <= max)
     {
-      int mid = (min + max) / 2;
+      int mid = ((unsigned int) min + (unsigned int) max) / 2;
       int c = array[mid].cmp (&x);
       if (c < 0)
         max = mid - 1;