Mozilla bug 580233 - check for zero-length record in hb sanitizer.

Patch / report by Jonathan Kew.

diff --git a/src/hb-open-type-private.hh b/src/hb-open-type-private.hh
index 34d6cb0..cde6414 100644 (file)
--- a/src/hb-open-type-private.hh
+++ b/src/hb-open-type-private.hh
@@ -229,7 +229,7 @@ struct hb_sanitize_context_t
   inline bool check_array (const void *base, unsigned int record_size, unsigned int len) const
   {
     const char *p = (const char *) base;
-    bool overflows = len >= ((unsigned int) -1) / record_size;
+    bool overflows = record_size > 0 && len >= ((unsigned int) -1) / record_size;
 
     if (HB_DEBUG_SANITIZE && (int) this->debug_depth < (int) HB_DEBUG_SANITIZE)
       fprintf (stderr, "SANITIZE(%p) %-*d-> array [%p..%p] (%d*%d=%ld bytes) in [%p..%p] -> %s\n", \