Speculative fix for Hunspell crash in bug 14721.

google/bdict_reader.cc

 // Copyright 2008 Google Inc. All Rights Reserved.
 
 #include "third_party/hunspell/google/bdict_reader.h"
 
 #include "base/logging.h"
 
 namespace hunspell {
 
 // Like the "Visitor" design pattern, this lightweight object provides an
 // interface around a serialized trie node at the given address in the memory.
@@ skipping 320 matching lines @@
   if (is_lookup_32()) {
     child_offset = *reinterpret_cast<const unsigned int*>(
         &bdict_data_[zeroth_entry_offset()]);
   } else {
     child_offset = *reinterpret_cast<const unsigned short*>(
         &bdict_data_[zeroth_entry_offset()]);
     child_offset += node_offset_;
   }
 
   // Range check the offset;
-  if (child_offset > bdict_length_)
+  if (child_offset >= bdict_length_) {
+    DCHECK(false) << "Offset should be less than length.";
     return FIND_DONE;
+  }
 
   // Now recurse into that child node. We don't advance to the next character
   // here since the 0th element will be a leaf (see ReaderForLookupAt).
   *result = NodeReader(bdict_data_, bdict_length_, child_offset, node_depth_);
   return FIND_NODE;
 }
 
 NodeReader::FindResult NodeReader::ReaderForLookupAt(
     size_t index,
     char* found_char,
@@ skipping 13 matching lines @@
   } else {
     // Table contains 16-bit offsets relative to the current node.
     child_offset =
         reinterpret_cast<const unsigned short*>(table_begin)[index];
     if (!child_offset)
       return FIND_NOTHING;  // This entry in the table is empty.
     child_offset += node_offset_;
   }
 
   // Range check the offset;
-  if (child_offset > bdict_length_)
+  if (child_offset >= bdict_length_) {
+    DCHECK(false) << "Offset should be less than length.";
     return FIND_DONE;  // Error.
+  }
 
   // This is a bit tricky. When we've just reached the end of a word, the word
   // itself will be stored in a leaf "node" off of this node. That node, of
   // course, will want to know that it's the end of the word and so we have to
   // have it use the same index into the word as we're using at this level.
   //
   // This happens when there is a word in the dictionary that is a strict
   // prefix of other words in the dictionary, and so we'll have a non-leaf
   // node representing the entire word before the ending leaf node.
   //
@@ skipping 52 matching lines @@
     offset = children_begin + *reinterpret_cast<const unsigned short*>(
         &list_item_begin[1]);
   } else {
     const unsigned char* list_item_begin = bdict_data_ + list_begin + index * 2;
     *found_char = list_item_begin[0];
 
     size_t children_begin = list_begin + list_item_count() * 2;
     offset = children_begin + list_item_begin[1];
   }
 
-  if (offset == 0 || node_offset_ > bdict_length_)
+  if (offset == 0 || node_offset_ >= bdict_length_) {
+    DCHECK(false) << "Offset should be less than length.";
     return FIND_DONE;  // Error, should not happen except for corruption.
+  }
 
   int char_advance = *found_char == 0 ? 0 : 1;  // See ReaderForLookupAt.
   *result = NodeReader(bdict_data_, bdict_length_,
                        offset, node_depth_ + char_advance);
   return FIND_NODE;
 }
 
 // WordIterator ----------------------------------------------------------------
 
 struct WordIterator::NodeInfo {
@@ skipping 252 matching lines @@
                              aff_header_->rep_offset);
 }
 
 
 WordIterator BDictReader::GetAllWordIterator() const {
   NodeReader reader(bdict_data_, bdict_length_, header_->dic_offset, 0);
   return WordIterator(reader);
 }
 
 }  // namespace hunspell