[avar] Prevent mul overflow

Fixes https://crbug.com/oss-fuzz/21350

src/hb-algs.hh

@@ -607,12 +607,6 @@ hb_memset (void *s, int c, unsigned int n)
   return memset (s, c, n);
 }
 
-static inline bool
-hb_unsigned_mul_overflows (unsigned int count, unsigned int size)
-{
-  return (size > 0) && (count >= ((unsigned int) -1) / size);
-}
-
 static inline unsigned int
 hb_ceil_to_4 (unsigned int v)
 {
@@ -640,6 +634,29 @@ hb_in_ranges (T u, T lo1, T hi1, T lo2, T hi2, T lo3, T hi3)
 }
 
 
+/*
+ * Overflow checking.
+ */
+
+/* Consider __builtin_mul_overflow use here also */
+static inline bool
+hb_unsigned_mul_overflows (unsigned int count, unsigned int size)
+{
+  return (size > 0) && (count >= ((unsigned int) -1) / size);
+}
+
+/* Right now we only have one use for signed overflow and as it
+ * is GCC 5.1 > and clang we don't care about its fallback ATM */
+#ifndef __has_builtin
+# define __has_builtin(x) 0
+#endif
+#if __has_builtin(__builtin_mul_overflow)
+# define hb_signed_mul_overflows(x, y, result) __builtin_mul_overflow(x, y, &result)
+#else
+# define hb_signed_mul_overflows(x, y, result) (result = (x) * (y), false)
+#endif
+
+
 /*
  * Sort and search.
  */

src/hb-ot-var-avar-table.hh

@@ -89,10 +89,14 @@ struct SegmentMaps : ArrayOf<AxisValueMap>
     if (unlikely (arrayZ[i-1].fromCoord == arrayZ[i].fromCoord))
       return arrayZ[i-1].toCoord;
 
+    int factor;
+    if (hb_signed_mul_overflows (arrayZ[i].toCoord - arrayZ[i-1].toCoord,
+				 value - arrayZ[i-1].fromCoord,
+				 factor))
+      return arrayZ[i-1].toCoord;
+
     int denom = arrayZ[i].fromCoord - arrayZ[i-1].fromCoord;
-    return arrayZ[i-1].toCoord +
+    return arrayZ[i-1].toCoord + (factor + denom/2) / denom;
-	   ((arrayZ[i].toCoord - arrayZ[i-1].toCoord) *
-	    (value - arrayZ[i-1].fromCoord) + denom/2) / denom;
 #undef toCoord
 #undef fromCoord
   }