From 556b16d6a20f11627c75c1365dea5a6332091779 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Thu, 15 May 2008 20:03:05 -0400
Subject: [PATCH] [cairo-traps] Fix overflow in traps_path code

This was causing the user-font test failure in type1 subsetting
code as the type1 code creates a font at size 1000.
---
 src/cairo-traps.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/src/cairo-traps.c b/src/cairo-traps.c
index 91bb92699..fcb020885 100644
--- a/src/cairo-traps.c
+++ b/src/cairo-traps.c
@@ -660,18 +660,19 @@ _cairo_traps_extract_region (const cairo_traps_t  *traps,
 
 /* moves trap points such that they become the actual corners of the trapezoid */
 static void
-_sanitize_trap (cairo_trapezoid_t *trap)
+_sanitize_trap (cairo_trapezoid_t *t)
 {
-/* XXX the math here is fragile.  can overflow in extreme cases */
-#define FIX(t, lr, tb, p) \
+    cairo_trapezoid_t s = *t;
+
+#define FIX(lr, tb, p) \
     if (t->lr.p.y != t->tb) { \
-        t->lr.p.x = t->lr.p2.x + (t->lr.p1.x - t->lr.p2.x) * (t->tb - t->lr.p2.y) / (t->lr.p1.y - t->lr.p2.y); \
-        t->lr.p.y = t->tb; \
+        t->lr.p.x = s.lr.p2.x + _cairo_fixed_mul_div (s.lr.p1.x - s.lr.p2.x, s.tb - s.lr.p2.y, s.lr.p1.y - s.lr.p2.y); \
+        t->lr.p.y = s.tb; \
     }
-    FIX (trap, left,  top,    p1);
-    FIX (trap, left,  bottom, p2);
-    FIX (trap, right, top,    p1);
-    FIX (trap, right, bottom, p2);
+    FIX (left,  top,    p1);
+    FIX (left,  bottom, p2);
+    FIX (right, top,    p1);
+    FIX (right, bottom, p2);
 }
 
 cairo_private cairo_status_t