From: Behdad Esfahbod <behdad@behdad.org>
Date: Thu, 23 Sep 2010 19:49:57 +0000 (-0400)
Subject: Bug 626966 - SIGFPE _hb_sanitize_array
X-Git-Tag: 1.29.1~177
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=152e0aab5bb29d691e5e69e2f375b3b42e15e48e;p=platform%2Fupstream%2Fpango.git

Bug 626966 - SIGFPE _hb_sanitize_array

Fix two div-by-zero's.  Both have been fixed upstream.
---

diff --git a/pango/opentype/hb-open-type-private.hh b/pango/opentype/hb-open-type-private.hh
index 9e99175..d93b8e7 100644
--- a/pango/opentype/hb-open-type-private.hh
+++ b/pango/opentype/hb-open-type-private.hh
@@ -199,7 +199,7 @@ _hb_sanitize_array (SANITIZE_ARG_DEF,
 		    unsigned int record_size,
 		    unsigned int len)
 {
-  bool overflows = len >= ((unsigned int) -1) / record_size;
+  bool overflows = record_size > 0 && len >= ((unsigned int) -1) / record_size;
 
 #if HB_DEBUG_SANITIZE
   if (sanitize_depth < HB_DEBUG_SANITIZE) \
diff --git a/pango/opentype/hb-ot-layout-gpos-private.hh b/pango/opentype/hb-ot-layout-gpos-private.hh
index e68739e..cdd28d2 100644
--- a/pango/opentype/hb-ot-layout-gpos-private.hh
+++ b/pango/opentype/hb-ot-layout-gpos-private.hh
@@ -337,6 +337,7 @@ struct AnchorMatrix
   inline bool sanitize (SANITIZE_ARG_DEF, unsigned int cols) {
     TRACE_SANITIZE ();
     if (!SANITIZE_SELF ()) return false;
+    if (rows > 0 && cols >= ((unsigned int) -1) / rows) return false;
     unsigned int count = rows * cols;
     if (!SANITIZE_ARRAY (matrix, matrix[0].get_size (), count)) return false;
     for (unsigned int i = 0; i < count; i++)