diff options
author | Behdad Esfahbod <behdad@behdad.org> | 2010-09-23 15:49:57 -0400 |
---|---|---|
committer | Behdad Esfahbod <behdad@behdad.org> | 2010-09-23 15:49:57 -0400 |
commit | 152e0aab5bb29d691e5e69e2f375b3b42e15e48e (patch) | |
tree | 4b6d1914501fffd3de8aa7f9b484ff5b7fce50a2 | |
parent | 254f42980e272f0560b28d466c2b65a1748b1132 (diff) | |
download | pango-152e0aab5bb29d691e5e69e2f375b3b42e15e48e.tar.gz |
Bug 626966 - SIGFPE _hb_sanitize_array
Fix two div-by-zero's. Both have been fixed upstream.
-rw-r--r-- | pango/opentype/hb-open-type-private.hh | 2 | ||||
-rw-r--r-- | pango/opentype/hb-ot-layout-gpos-private.hh | 1 |
2 files changed, 2 insertions, 1 deletions
diff --git a/pango/opentype/hb-open-type-private.hh b/pango/opentype/hb-open-type-private.hh index 9e99175a..d93b8e7a 100644 --- a/pango/opentype/hb-open-type-private.hh +++ b/pango/opentype/hb-open-type-private.hh @@ -199,7 +199,7 @@ _hb_sanitize_array (SANITIZE_ARG_DEF, unsigned int record_size, unsigned int len) { - bool overflows = len >= ((unsigned int) -1) / record_size; + bool overflows = record_size > 0 && len >= ((unsigned int) -1) / record_size; #if HB_DEBUG_SANITIZE if (sanitize_depth < HB_DEBUG_SANITIZE) \ diff --git a/pango/opentype/hb-ot-layout-gpos-private.hh b/pango/opentype/hb-ot-layout-gpos-private.hh index e68739ed..cdd28d2c 100644 --- a/pango/opentype/hb-ot-layout-gpos-private.hh +++ b/pango/opentype/hb-ot-layout-gpos-private.hh @@ -337,6 +337,7 @@ struct AnchorMatrix inline bool sanitize (SANITIZE_ARG_DEF, unsigned int cols) { TRACE_SANITIZE (); if (!SANITIZE_SELF ()) return false; + if (rows > 0 && cols >= ((unsigned int) -1) / rows) return false; unsigned int count = rows * cols; if (!SANITIZE_ARRAY (matrix, matrix[0].get_size (), count)) return false; for (unsigned int i = 0; i < count; i++) |