bug 580233 - hb sanitizer fix. r=jdaggett

gfx/harfbuzz/src/hb-open-type-private.hh

@@ -228,7 +228,7 @@ struct hb_sanitize_context_t
   inline bool check_array (const void *base, unsigned int record_size, unsigned int len) const
   {
     const char *p = (const char *) base;
-    bool overflows = len >= ((unsigned int) -1) / record_size;
+    bool overflows = record_size > 0 && len >= ((unsigned int) -1) / record_size;
 
     if (HB_DEBUG_SANITIZE && (int) this->debug_depth < (int) HB_DEBUG_SANITIZE)
       fprintf (stderr, "SANITIZE(%p) %-*d-> array [%p..%p] (%d*%d=%ld bytes) in [%p..%p] -> %s\n", \

gfx/tests/crashtests/580233-1.html

@@ -0,0 +1,7 @@
+<html><head>
+<style>@font-face{font-family:t;src:url(580233-bad_gpos_table.ttf);}
+p.t{font-size:40px;font-family:t;}</style>
+</head>
+<body>
+<p class="t">Lorem ipsum</p></body>
+</html>

gfx/tests/crashtests/crashtests.list

@@ -78,3 +78,4 @@ load 546870-1.html
 load balinese-letter-spacing.html
 load 580100-1.html
 load 580212-1.html
+load 580233-1.html