Fix comparison that overflows for addresses near uint max.

- Fix Assert TBR=mtklein@google.com BUG=chromium:683578 Change-Id: Iba503d1febace367c71f79a3b9accc0ec3e50f11 Reviewed-on: https://skia-review.googlesource.com/7418 Reviewed-by: Herb Derby <herb@google.com> Commit-Queue: Herb Derby <herb@google.com>
2017-01-23 16:57:09 -05:00 · 2017-01-23 16:57:09 -05:00 · f887f8a847
commit f887f8a847
parent a19f024953
2 changed files with 5 additions and 3 deletions
--- a/src/core/SkArenaAlloc.cpp
+++ b/src/core/SkArenaAlloc.cpp
@ -123,7 +123,7 @@ void SkArenaAlloc::ensureSpace(size_t size, size_t alignment) {
 char* SkArenaAlloc::allocObject(size_t size, size_t alignment) {
    size_t mask = alignment - 1;
    char* objStart = (char*)((uintptr_t)(fCursor + mask) & ~mask);
-    if (objStart + size > fEnd) {
+    if ((ptrdiff_t)size > fEnd - objStart) {
        this->ensureSpace(size, alignment);
        objStart = (char*)((uintptr_t)(fCursor + mask) & ~mask);
    }
@ -142,12 +142,12 @@ restart:
    char* objStart = (char*)((uintptr_t)(fCursor + skipOverhead + mask) & ~mask);
    size_t totalSize = sizeIncludingFooter + skipOverhead;

-    if (objStart + totalSize > fEnd) {
+    if ((ptrdiff_t)totalSize > fEnd - objStart) {
        this->ensureSpace(totalSize, alignment);
        goto restart;
    }

-    SkASSERT(objStart + totalSize <= fEnd);
+    SkASSERT((ptrdiff_t)totalSize <= fEnd - objStart);

    // Install a skip footer if needed, thus terminating a run of POD data. The calling code is
    // responsible for installing the footer after the object.
--- a/src/core/SkArenaAlloc.h
+++ b/src/core/SkArenaAlloc.h
@ -68,6 +68,7 @@ public:

    template <typename T, typename... Args>
    T* make(Args&&... args) {
+        SkASSERT(SkTFitsIn<uint32_t>(sizeof(T)));
        char* objStart;
        if (skstd::is_trivially_destructible<T>::value) {
            objStart = this->allocObject(sizeof(T), alignof(T));
@ -139,6 +140,7 @@ private:
        SkASSERT(SkTFitsIn<uint32_t>(count));
        char* objStart;
        size_t arraySize = count * sizeof(T);
+        SkASSERT(SkTFitsIn<uint32_t>(arraySize));

        if (skstd::is_trivially_destructible<T>::value) {
            objStart = this->allocObject(arraySize, alignof(T));