Mozilla bug 580233 - check for zero-length record in hb sanitizer. Patch / report by Jonathan Kew.

commit: 4f801bd6586defdbf70162e0c7f8968d2b476df2 [log] [tgz]
author: Behdad Esfahbod <behdad@behdad.org> Wed Jul 21 16:37:01 2010 -0400
committer: Behdad Esfahbod <behdad@behdad.org> Wed Jul 21 16:37:01 2010 -0400
tree: 27c1bb37ec50529f2acb7bc53c25f78deb7427ec
parent: 17e9ff938b638fd1cb80c990ba13bd47562116b8 [diff] [blame]
diff --git a/src/hb-open-type-private.hh b/src/hb-open-type-private.hh
index 34d6cb0..cde6414 100644
--- a/src/hb-open-type-private.hh
+++ b/src/hb-open-type-private.hh

@@ -229,7 +229,7 @@
   inline bool check_array (const void *base, unsigned int record_size, unsigned int len) const
   {
     const char *p = (const char *) base;
-    bool overflows = len >= ((unsigned int) -1) / record_size;
+    bool overflows = record_size > 0 && len >= ((unsigned int) -1) / record_size;
 
     if (HB_DEBUG_SANITIZE && (int) this->debug_depth < (int) HB_DEBUG_SANITIZE)
       fprintf (stderr, "SANITIZE(%p) %-*d-> array [%p..%p] (%d*%d=%ld bytes) in [%p..%p] -> %s\n", \
commit	4f801bd6586defdbf70162e0c7f8968d2b476df2	[log] [tgz]
author	Behdad Esfahbod <behdad@behdad.org>	Wed Jul 21 16:37:01 2010 -0400
committer	Behdad Esfahbod <behdad@behdad.org>	Wed Jul 21 16:37:01 2010 -0400
tree	27c1bb37ec50529f2acb7bc53c25f78deb7427ec
parent	17e9ff938b638fd1cb80c990ba13bd47562116b8 [diff] [blame]