[pango/1.28] Bug 626966 - SIGFPE _hb_sanitize_array

[Behdad Esfahbod <behdad src gnome org>]

commit ab5e0df8a7a7970e6e4ec03c13a15f7d04cc7594
Author: Behdad Esfahbod <behdad behdad org>
Date:   Thu Sep 23 15:49:57 2010 -0400

    Bug 626966 - SIGFPE _hb_sanitize_array
    
    Fix two div-by-zero's.  Both have been fixed upstream.

 pango/opentype/hb-open-type-private.hh      |    2 +-
 pango/opentype/hb-ot-layout-gpos-private.hh |    1 +
 2 files changed, 2 insertions(+), 1 deletions(-)
---
diff --git a/pango/opentype/hb-open-type-private.hh b/pango/opentype/hb-open-type-private.hh
index 9e99175..d93b8e7 100644
--- a/pango/opentype/hb-open-type-private.hh
+++ b/pango/opentype/hb-open-type-private.hh
@@ -199,7 +199,7 @@ _hb_sanitize_array (SANITIZE_ARG_DEF,
 		    unsigned int record_size,
 		    unsigned int len)
 {
-  bool overflows = len >= ((unsigned int) -1) / record_size;
+  bool overflows = record_size > 0 && len >= ((unsigned int) -1) / record_size;
 
 #if HB_DEBUG_SANITIZE
   if (sanitize_depth < HB_DEBUG_SANITIZE) \
diff --git a/pango/opentype/hb-ot-layout-gpos-private.hh b/pango/opentype/hb-ot-layout-gpos-private.hh
index e68739e..cdd28d2 100644
--- a/pango/opentype/hb-ot-layout-gpos-private.hh
+++ b/pango/opentype/hb-ot-layout-gpos-private.hh
@@ -337,6 +337,7 @@ struct AnchorMatrix
   inline bool sanitize (SANITIZE_ARG_DEF, unsigned int cols) {
     TRACE_SANITIZE ();
     if (!SANITIZE_SELF ()) return false;
+    if (rows > 0 && cols >= ((unsigned int) -1) / rows) return false;
     unsigned int count = rows * cols;
     if (!SANITIZE_ARRAY (matrix, matrix[0].get_size (), count)) return false;
     for (unsigned int i = 0; i < count; i++)