Fix comparison that overflows for addresses near uint max.
- Fix Assert
TBR=mtklein@google.com
BUG=chromium:683578
Change-Id: Iba503d1febace367c71f79a3b9accc0ec3e50f11
Reviewed-on: https://skia-review.googlesource.com/7418
Reviewed-by: Herb Derby <herb@google.com>
Commit-Queue: Herb Derby <herb@google.com>
diff --git a/src/core/SkArenaAlloc.cpp b/src/core/SkArenaAlloc.cpp
index 5ac08dc..4a88813 100644
--- a/src/core/SkArenaAlloc.cpp
+++ b/src/core/SkArenaAlloc.cpp
@@ -123,7 +123,7 @@
char* SkArenaAlloc::allocObject(size_t size, size_t alignment) {
size_t mask = alignment - 1;
char* objStart = (char*)((uintptr_t)(fCursor + mask) & ~mask);
- if (objStart + size > fEnd) {
+ if ((ptrdiff_t)size > fEnd - objStart) {
this->ensureSpace(size, alignment);
objStart = (char*)((uintptr_t)(fCursor + mask) & ~mask);
}
@@ -142,12 +142,12 @@
char* objStart = (char*)((uintptr_t)(fCursor + skipOverhead + mask) & ~mask);
size_t totalSize = sizeIncludingFooter + skipOverhead;
- if (objStart + totalSize > fEnd) {
+ if ((ptrdiff_t)totalSize > fEnd - objStart) {
this->ensureSpace(totalSize, alignment);
goto restart;
}
- SkASSERT(objStart + totalSize <= fEnd);
+ SkASSERT((ptrdiff_t)totalSize <= fEnd - objStart);
// Install a skip footer if needed, thus terminating a run of POD data. The calling code is
// responsible for installing the footer after the object.
diff --git a/src/core/SkArenaAlloc.h b/src/core/SkArenaAlloc.h
index 532b45a..cd582a9 100644
--- a/src/core/SkArenaAlloc.h
+++ b/src/core/SkArenaAlloc.h
@@ -68,6 +68,7 @@
template <typename T, typename... Args>
T* make(Args&&... args) {
+ SkASSERT(SkTFitsIn<uint32_t>(sizeof(T)));
char* objStart;
if (skstd::is_trivially_destructible<T>::value) {
objStart = this->allocObject(sizeof(T), alignof(T));
@@ -139,6 +140,7 @@
SkASSERT(SkTFitsIn<uint32_t>(count));
char* objStart;
size_t arraySize = count * sizeof(T);
+ SkASSERT(SkTFitsIn<uint32_t>(arraySize));
if (skstd::is_trivially_destructible<T>::value) {
objStart = this->allocObject(arraySize, alignof(T));