[ot-font] Fix hmtx table length checking, *again*

Exactly the same problem that I fixed in
63ef0b41dc

I rewrote the table checking yesterday in
67f8821fb2
and introduced the exact same issue again. :(
Good thing we have ongoing fuzzing going now.  Was discovered
immediately by libFuzzer.  Thanks kcc!

https://github.com/behdad/harfbuzz/issues/139#issuecomment-153449473
Fixes https://github.com/behdad/harfbuzz/issues/156

src/hb-ot-font.cc

@@ -59,11 +59,11 @@ struct hb_ot_face_metrics_accelerator_t
 
     /* Cap num_metrics() and num_advances() based on table length. */
     unsigned int len = hb_blob_get_length (this->blob);
-    if (unlikely (this->num_advances * 4 < len))
+    if (unlikely (this->num_advances * 4 > len))
       this->num_advances = len / 4;
     this->num_metrics = this->num_advances + (len - 4 * this->num_advances) / 2;
 
-    /* We MUSt set num_metrics to zero if num_advances is zero.
+    /* We MUST set num_metrics to zero if num_advances is zero.
      * Our get_advance() depends on that. */
     if (unlikely (!this->num_advances))
     {

test/shaping/fonts/sha1sum/MANIFEST

@@ -17,6 +17,7 @@
 757ebd573617a24aa9dfbf0b885c54875c6fe06b.ttf
 7e14e7883ed152baa158b80e207b66114c823a8b.ttf
 813c2f8e5512187fd982417a7fb4286728e6f4a8.ttf
+8240789f6d12d4cfc4b5e8e6f246c3701bcf861f.ttf
 8454d22037f892e76614e1645d066689a0200e61.ttf
 8a9fea2a7384f2116e5b84a9b31f83be7850ce21.ttf
 a919b33197965846f21074b24e30250d67277bce.ttf

test/shaping/tests/fuzzed.tests

@@ -3,3 +3,4 @@ fonts/sha1sum/5a5daf5eb5a4db77a2baa3ad9c7a6ed6e0655fa8.ttf:--font-funcs=ot:U+004
 fonts/sha1sum/0509e80afb379d16560e9e47bdd7d888bebdebc6.ttf:--font-funcs=ot:U+0041:[gid0=0+1000]
 fonts/sha1sum/641bd9db850193064d17575053ae2bf8ec149ddc.ttf:--font-funcs=ot:U+0041:[gid0=0+1000]
 fonts/sha1sum/375d6ae32a3cbe52fbf81a4e5777e3377675d5a3.ttf:--font-funcs=ot:U+0041:[gid0=0+4352]
+fonts/sha1sum/8240789f6d12d4cfc4b5e8e6f246c3701bcf861f.ttf:--font-funcs=ot:U+0041:[gid0=0+2304]