From 152e0aab5bb29d691e5e69e2f375b3b42e15e48e Mon Sep 17 00:00:00 2001 From: Behdad Esfahbod Date: Thu, 23 Sep 2010 15:49:57 -0400 Subject: [PATCH] Bug 626966 - SIGFPE _hb_sanitize_array Fix two div-by-zero's. Both have been fixed upstream. --- pango/opentype/hb-open-type-private.hh | 2 +- pango/opentype/hb-ot-layout-gpos-private.hh | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/pango/opentype/hb-open-type-private.hh b/pango/opentype/hb-open-type-private.hh index 9e99175..d93b8e7 100644 --- a/pango/opentype/hb-open-type-private.hh +++ b/pango/opentype/hb-open-type-private.hh @@ -199,7 +199,7 @@ _hb_sanitize_array (SANITIZE_ARG_DEF, unsigned int record_size, unsigned int len) { - bool overflows = len >= ((unsigned int) -1) / record_size; + bool overflows = record_size > 0 && len >= ((unsigned int) -1) / record_size; #if HB_DEBUG_SANITIZE if (sanitize_depth < HB_DEBUG_SANITIZE) \ diff --git a/pango/opentype/hb-ot-layout-gpos-private.hh b/pango/opentype/hb-ot-layout-gpos-private.hh index e68739e..cdd28d2 100644 --- a/pango/opentype/hb-ot-layout-gpos-private.hh +++ b/pango/opentype/hb-ot-layout-gpos-private.hh @@ -337,6 +337,7 @@ struct AnchorMatrix inline bool sanitize (SANITIZE_ARG_DEF, unsigned int cols) { TRACE_SANITIZE (); if (!SANITIZE_SELF ()) return false; + if (rows > 0 && cols >= ((unsigned int) -1) / rows) return false; unsigned int count = rows * cols; if (!SANITIZE_ARRAY (matrix, matrix[0].get_size (), count)) return false; for (unsigned int i = 0; i < count; i++) -- 2.7.4