From b5dd44e24669cd35affcd92788d39ff56cac94db Mon Sep 17 00:00:00 2001 From: Behdad Esfahbod Date: Mon, 28 Feb 2011 10:13:52 -0800 Subject: [PATCH] Fix possible overflow --- src/hb-buffer.cc | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/hb-buffer.cc b/src/hb-buffer.cc index 04ae8c926..c868091b5 100644 --- a/src/hb-buffer.cc +++ b/src/hb-buffer.cc @@ -73,8 +73,16 @@ _hb_buffer_enlarge (hb_buffer_t *buffer, unsigned int size) while (size > new_allocated) new_allocated += (new_allocated >> 1) + 8; - new_pos = (hb_glyph_position_t *) realloc (buffer->pos, new_allocated * sizeof (buffer->pos[0])); - new_info = (hb_glyph_info_t *) realloc (buffer->info, new_allocated * sizeof (buffer->info[0])); + ASSERT_STATIC (sizeof (buffer->info[0]) == sizeof (buffer->pos[0])); + bool overflows = new_allocated >= ((unsigned int) -1) / sizeof (buffer->info[0]); + + if (unlikely (overflows)) { + new_pos = NULL; + new_info = NULL; + } else { + new_pos = (hb_glyph_position_t *) realloc (buffer->pos, new_allocated * sizeof (buffer->pos[0])); + new_info = (hb_glyph_info_t *) realloc (buffer->info, new_allocated * sizeof (buffer->info[0])); + } if (unlikely (!new_pos || !new_info)) buffer->in_error = TRUE;