From f887f8a8473f226bdfa5f81e4c54c9fd1a50b413 Mon Sep 17 00:00:00 2001
From: Herb Derby <herb@google.com>
Date: Mon, 23 Jan 2017 16:57:09 -0500
Subject: [PATCH] Fix comparison that overflows for addresses near uint max. -
 Fix Assert

TBR=mtklein@google.com
BUG=chromium:683578

Change-Id: Iba503d1febace367c71f79a3b9accc0ec3e50f11
Reviewed-on: https://skia-review.googlesource.com/7418
Reviewed-by: Herb Derby <herb@google.com>
Commit-Queue: Herb Derby <herb@google.com>
---
 src/core/SkArenaAlloc.cpp | 6 +++---
 src/core/SkArenaAlloc.h   | 2 ++
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/core/SkArenaAlloc.cpp b/src/core/SkArenaAlloc.cpp
index 5ac08dcdc3..4a88813485 100644
--- a/src/core/SkArenaAlloc.cpp
+++ b/src/core/SkArenaAlloc.cpp
@@ -123,7 +123,7 @@ void SkArenaAlloc::ensureSpace(size_t size, size_t alignment) {
 char* SkArenaAlloc::allocObject(size_t size, size_t alignment) {
     size_t mask = alignment - 1;
     char* objStart = (char*)((uintptr_t)(fCursor + mask) & ~mask);
-    if (objStart + size > fEnd) {
+    if ((ptrdiff_t)size > fEnd - objStart) {
         this->ensureSpace(size, alignment);
         objStart = (char*)((uintptr_t)(fCursor + mask) & ~mask);
     }
@@ -142,12 +142,12 @@ restart:
     char* objStart = (char*)((uintptr_t)(fCursor + skipOverhead + mask) & ~mask);
     size_t totalSize = sizeIncludingFooter + skipOverhead;
 
-    if (objStart + totalSize > fEnd) {
+    if ((ptrdiff_t)totalSize > fEnd - objStart) {
         this->ensureSpace(totalSize, alignment);
         goto restart;
     }
 
-    SkASSERT(objStart + totalSize <= fEnd);
+    SkASSERT((ptrdiff_t)totalSize <= fEnd - objStart);
 
     // Install a skip footer if needed, thus terminating a run of POD data. The calling code is
     // responsible for installing the footer after the object.
diff --git a/src/core/SkArenaAlloc.h b/src/core/SkArenaAlloc.h
index 532b45aa25..cd582a9ffe 100644
--- a/src/core/SkArenaAlloc.h
+++ b/src/core/SkArenaAlloc.h
@@ -68,6 +68,7 @@ public:
 
     template <typename T, typename... Args>
     T* make(Args&&... args) {
+        SkASSERT(SkTFitsIn<uint32_t>(sizeof(T)));
         char* objStart;
         if (skstd::is_trivially_destructible<T>::value) {
             objStart = this->allocObject(sizeof(T), alignof(T));
@@ -139,6 +140,7 @@ private:
         SkASSERT(SkTFitsIn<uint32_t>(count));
         char* objStart;
         size_t arraySize = count * sizeof(T);
+        SkASSERT(SkTFitsIn<uint32_t>(arraySize));
 
         if (skstd::is_trivially_destructible<T>::value) {
             objStart = this->allocObject(arraySize, alignof(T));