[pango] [HB] Avoid int overflow in GPOS

[Behdad Esfahbod <behdad src gnome org>]

commit f1d8d01c81b10a8c5ed47fef7a3fba10aa66140c
Author: Behdad Esfahbod <behdad behdad org>
Date:   Mon Aug 17 16:48:13 2009 -0400

    [HB] Avoid int overflow in GPOS
    
    Bug 592036 - integer overflow bug causes misrendering of Nepali characters

 pango/opentype/hb-ot-layout-gpos-private.hh |   20 ++++++++++----------
 pango/opentype/hb-private.h                 |    3 +++
 2 files changed, 13 insertions(+), 10 deletions(-)
---
diff --git a/pango/opentype/hb-ot-layout-gpos-private.hh b/pango/opentype/hb-ot-layout-gpos-private.hh
index 3aa1160..e665c15 100644
--- a/pango/opentype/hb-ot-layout-gpos-private.hh
+++ b/pango/opentype/hb-ot-layout-gpos-private.hh
@@ -102,13 +102,13 @@ struct ValueRecord {
     y_scale = context->font->y_scale;
     /* design units -> fractional pixel */
     if (format & xPlacement)
-      glyph_pos->x_pos += x_scale * *(SHORT*)values++ / 0x10000;
+      glyph_pos->x_pos += _hb_16dot16_mul_trunc (x_scale, *(SHORT*)values++);
     if (format & yPlacement)
-      glyph_pos->y_pos += y_scale * *(SHORT*)values++ / 0x10000;
+      glyph_pos->y_pos += _hb_16dot16_mul_trunc (y_scale, *(SHORT*)values++);
     if (format & xAdvance)
-      glyph_pos->x_advance += x_scale * *(SHORT*)values++ / 0x10000;
+      glyph_pos->x_advance += _hb_16dot16_mul_trunc (x_scale, *(SHORT*)values++);
     if (format & yAdvance)
-      glyph_pos->y_advance += y_scale * *(SHORT*)values++ / 0x10000;
+      glyph_pos->y_advance += _hb_16dot16_mul_trunc (y_scale, *(SHORT*)values++);
 
     x_ppem = context->font->x_ppem;
     y_ppem = context->font->y_ppem;
@@ -150,8 +150,8 @@ struct AnchorFormat1
   inline void get_anchor (hb_ot_layout_context_t *context, hb_codepoint_t glyph_id,
 			  hb_position_t *x, hb_position_t *y) const
   {
-      *x = context->font->x_scale * xCoordinate / 0x10000;
-      *y = context->font->y_scale * yCoordinate / 0x10000;
+      *x = _hb_16dot16_mul_trunc (context->font->x_scale, xCoordinate);
+      *y = _hb_16dot16_mul_trunc (context->font->y_scale, yCoordinate);
   }
 
   inline bool sanitize (SANITIZE_ARG_DEF) {
@@ -175,8 +175,8 @@ struct AnchorFormat2
 			  hb_position_t *x, hb_position_t *y) const
   {
       /* TODO Contour */
-      *x = context->font->x_scale * xCoordinate / 0x10000;
-      *y = context->font->y_scale * yCoordinate / 0x10000;
+      *x = _hb_16dot16_mul_trunc (context->font->x_scale, xCoordinate);
+      *y = _hb_16dot16_mul_trunc (context->font->y_scale, yCoordinate);
   }
 
   inline bool sanitize (SANITIZE_ARG_DEF) {
@@ -200,8 +200,8 @@ struct AnchorFormat3
   inline void get_anchor (hb_ot_layout_context_t *context, hb_codepoint_t glyph_id,
 			  hb_position_t *x, hb_position_t *y) const
   {
-      *x = context->font->x_scale * xCoordinate / 0x10000;
-      *y = context->font->y_scale * yCoordinate / 0x10000;
+      *x = _hb_16dot16_mul_trunc (context->font->x_scale, xCoordinate);
+      *y = _hb_16dot16_mul_trunc (context->font->y_scale, yCoordinate);
 
       if (context->font->x_ppem)
 	*x += (this+xDeviceTable).get_delta (context->font->x_ppem) << 6;
diff --git a/pango/opentype/hb-private.h b/pango/opentype/hb-private.h
index dbeafef..cdc2b84 100644
--- a/pango/opentype/hb-private.h
+++ b/pango/opentype/hb-private.h
@@ -201,6 +201,9 @@ _hb_popcount32 (uint32_t mask)
 }
 
 
+/* Multiplies a 16dot16 value by another value, then truncates the result */
+#define _hb_16dot16_mul_trunc(A,B) ((int64_t) (A) * (B) / 0x10000)
+
 #include "hb-object-private.h"
 
 #endif /* HB_PRIVATE_H */