Fix comparison that overflows for addresses near uint max.

BUG=chromium:683578

Change-Id: I3f9b79eeeba3c68cccb72bd6423811c8ff8f2067
Reviewed-on: https://skia-review.googlesource.com/7410
Commit-Queue: Herb Derby <herb@google.com>
Commit-Queue: Mike Klein <mtklein@chromium.org>
Reviewed-by: Mike Klein <mtklein@chromium.org>

2 files changed, 3 insertions, 2 deletions

diff --git a/src/core/SkArenaAlloc.cpp b/src/core/SkArenaAlloc.cpp
index 5ac08dcdc3..39d1ed5fc8 100644
--- a/src/core/SkArenaAlloc.cpp
+++ b/src/core/SkArenaAlloc.cpp
@@ -123,7 +123,7 @@ void SkArenaAlloc::ensureSpace(size_t size, size_t alignment) {
 char* SkArenaAlloc::allocObject(size_t size, size_t alignment) {
     size_t mask = alignment - 1;
     char* objStart = (char*)((uintptr_t)(fCursor + mask) & ~mask);
-    if (objStart + size > fEnd) {
+    if (size > (size_t)(fEnd - objStart)) {
         this->ensureSpace(size, alignment);
         objStart = (char*)((uintptr_t)(fCursor + mask) & ~mask);
     }
@@ -142,7 +142,7 @@ restart:
     char* objStart = (char*)((uintptr_t)(fCursor + skipOverhead + mask) & ~mask);
     size_t totalSize = sizeIncludingFooter + skipOverhead;
 
-    if (objStart + totalSize > fEnd) {
+    if (totalSize > (size_t)(fEnd - objStart)) {
         this->ensureSpace(totalSize, alignment);
         goto restart;
     }
diff --git a/src/core/SkArenaAlloc.h b/src/core/SkArenaAlloc.h
index 532b45aa25..589f782b1e 100644
--- a/src/core/SkArenaAlloc.h
+++ b/src/core/SkArenaAlloc.h
@@ -68,6 +68,7 @@ public:
 
     template <typename T, typename... Args>
     T* make(Args&&... args) {
+        SkASSERT(SkTFitsIn<uint32_t>(sizeof(T)));
         char* objStart;
         if (skstd::is_trivially_destructible<T>::value) {
             objStart = this->allocObject(sizeof(T), alignof(T));