Fix possible overflow in bsearch impls

From bungeman. Fixes https://github.com/harfbuzz/harfbuzz/pull/1314
2018-10-25 13:19:34 -07:00 · 2018-10-25 13:19:34 -07:00 · 21ede867df
parent 94e421abbf
commit 21ede867df
5 changed files with 6 additions and 6 deletions
--- a/src/hb-dsalgs.hh
+++ b/src/hb-dsalgs.hh
@ -321,7 +321,7 @@ hb_bsearch_r (const void *key, const void *base,
  int min = 0, max = (int) nmemb - 1;
  while (min <= max)
  {
-    int mid = (min + max) / 2;
+    int mid = ((unsigned int) min + (unsigned int) max) / 2;
    const void *p = (const void *) (((const char *) base) + (mid * size));
    int c = compar (key, p, arg);
    if (c < 0)
--- a/src/hb-open-type.hh
+++ b/src/hb-open-type.hh
@ -702,7 +702,7 @@ struct SortedArrayOf : ArrayOf<Type, LenType>
    int min = 0, max = (int) this->len - 1;
    while (min <= max)
    {
-      int mid = (min + max) / 2;
+      int mid = ((unsigned int) min + (unsigned int) max) / 2;
      int c = arr[mid].cmp (x);
      if (c < 0)
        max = mid - 1;
@ -825,7 +825,7 @@ struct VarSizedBinSearchArrayOf
    int min = 0, max = (int) header.nUnits - 1;
    while (min <= max)
    {
-      int mid = (min + max) / 2;
+      int mid = ((unsigned int) min + (unsigned int) max) / 2;
      const Type *p = (const Type *) (((const char *) &bytesZ) + (mid * size));
      int c = p->cmp (key);
      if (c < 0)
--- a/src/hb-ot-cmap-table.hh
+++ b/src/hb-ot-cmap-table.hh
@ -249,7 +249,7 @@ struct CmapSubtableFormat4
      unsigned int i;
      while (min <= max)
      {
-	int mid = (min + max) / 2;
+        int mid = ((unsigned int) min + (unsigned int) max) / 2;
 	if (codepoint < startCount[mid])
 	  max = mid - 1;
 	else if (codepoint > endCount[mid])
--- a/src/hb-ot-layout-gpos-table.hh
+++ b/src/hb-ot-layout-gpos-table.hh
@ -663,7 +663,7 @@ struct PairSet
    int min = 0, max = (int) count - 1;
    while (min <= max)
    {
-      int mid = (min + max) / 2;
+      int mid = ((unsigned int) min + (unsigned int) max) / 2;
      const PairValueRecord *record = &StructAtOffset<PairValueRecord> (&firstPairValueRecord, record_size * mid);
      hb_codepoint_t mid_x = record->secondGlyph;
      if (x < mid_x)
--- a/src/hb-vector.hh
+++ b/src/hb-vector.hh
@ -232,7 +232,7 @@ struct hb_vector_t
    const Type *array = this->arrayZ();
    while (min <= max)
    {
-      int mid = (min + max) / 2;
+      int mid = ((unsigned int) min + (unsigned int) max) / 2;
      int c = array[mid].cmp (&x);
      if (c < 0)
        max = mid - 1;