From 4f801bd6586defdbf70162e0c7f8968d2b476df2 Mon Sep 17 00:00:00 2001 From: Behdad Esfahbod Date: Wed, 21 Jul 2010 16:37:01 -0400 Subject: [PATCH] Mozilla bug 580233 - check for zero-length record in hb sanitizer. Patch / report by Jonathan Kew. --- src/hb-open-type-private.hh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/hb-open-type-private.hh b/src/hb-open-type-private.hh index 34d6cb06c..cde6414ed 100644 --- a/src/hb-open-type-private.hh +++ b/src/hb-open-type-private.hh @@ -229,7 +229,7 @@ struct hb_sanitize_context_t inline bool check_array (const void *base, unsigned int record_size, unsigned int len) const { const char *p = (const char *) base; - bool overflows = len >= ((unsigned int) -1) / record_size; + bool overflows = record_size > 0 && len >= ((unsigned int) -1) / record_size; if (HB_DEBUG_SANITIZE && (int) this->debug_depth < (int) HB_DEBUG_SANITIZE) fprintf (stderr, "SANITIZE(%p) %-*d-> array [%p..%p] (%d*%d=%ld bytes) in [%p..%p] -> %s\n", \