Fix assertion on address overflow

Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=917031
This commit is contained in:
Behdad Esfahbod 2019-01-14 15:27:34 -05:00
parent 7a6686a589
commit 480406cd3e
1 changed files with 3 additions and 2 deletions

View File

@ -269,9 +269,10 @@ struct hb_sanitize_context_t :
const char *obj_start = (const char *) obj; const char *obj_start = (const char *) obj;
const char *obj_end = (const char *) obj + obj->get_size (); const char *obj_end = (const char *) obj + obj->get_size ();
assert (obj_start <= obj_end); /* Must not overflow. */
if (unlikely (obj_end < this->start || this->end < obj_start)) if (unlikely (obj_end < obj_start /* Overflow. */ ||
obj_end < this->start ||
this->end < obj_start))
this->start = this->end = nullptr; this->start = this->end = nullptr;
else else
{ {