Bug 626966 - SIGFPE _hb_sanitize_array

Fix two div-by-zero's.  Both have been fixed upstream.

2 files changed, 2 insertions, 1 deletions

diff --git a/pango/opentype/hb-open-type-private.hh b/pango/opentype/hb-open-type-private.hh
index 9e99175a..d93b8e7a 100644
--- a/pango/opentype/hb-open-type-private.hh
+++ b/pango/opentype/hb-open-type-private.hh
@@ -199,7 +199,7 @@ _hb_sanitize_array (SANITIZE_ARG_DEF,
 		    unsigned int record_size,
 		    unsigned int len)
 {
-  bool overflows = len >= ((unsigned int) -1) / record_size;
+  bool overflows = record_size > 0 && len >= ((unsigned int) -1) / record_size;
 
 #if HB_DEBUG_SANITIZE
   if (sanitize_depth < HB_DEBUG_SANITIZE) \
diff --git a/pango/opentype/hb-ot-layout-gpos-private.hh b/pango/opentype/hb-ot-layout-gpos-private.hh
index e68739ed..cdd28d2c 100644
--- a/pango/opentype/hb-ot-layout-gpos-private.hh
+++ b/pango/opentype/hb-ot-layout-gpos-private.hh
@@ -337,6 +337,7 @@ struct AnchorMatrix
   inline bool sanitize (SANITIZE_ARG_DEF, unsigned int cols) {
     TRACE_SANITIZE ();
     if (!SANITIZE_SELF ()) return false;
+    if (rows > 0 && cols >= ((unsigned int) -1) / rows) return false;
     unsigned int count = rows * cols;
     if (!SANITIZE_ARRAY (matrix, matrix[0].get_size (), count)) return false;
     for (unsigned int i = 0; i < count; i++)