Avoid possible integer overflows computing indexes in OT layout

src/hb/ot_layout_gsubgpos.rs

@@ -864,7 +864,7 @@ fn apply_lookup(
 
         // Convert positions to new indexing.
         for j in 0..count {
-            match_positions[j] = (match_positions[j] as isize + delta) as _;
+            match_positions[j] = match_positions[j].saturating_add_signed(delta);
         }
 
         backtrack_len + match_end - ctx.buffer.idx
@@ -938,7 +938,9 @@ fn apply_lookup(
             // https://bugs.chromium.org/p/chromium/issues/detail?id=659496
             // https://github.com/harfbuzz/harfbuzz/issues/1611
             //
-            delta += match_positions[idx] as isize - end as isize;
+            delta = delta
+                .saturating_add(match_positions[idx].try_into().unwrap())
+                .saturating_sub(end.try_into().unwrap());
             end = match_positions[idx];
         }
 
@@ -956,14 +958,14 @@ fn apply_lookup(
             }
         } else {
             // NOTE: delta is non-positive.
-            delta = delta.max(next as isize - count as isize);
-            next = (next as isize - delta) as _;
+            delta = delta.max(next.saturating_sub(count).try_into().unwrap());
+            next = next.saturating_sub(delta.try_into().unwrap());
         }
 
         // Shift!
         match_positions.copy_within(next..count, (next as isize + delta) as _);
-        next = (next as isize + delta) as _;
-        count = (count as isize + delta) as _;
+        next = next.saturating_add_signed(delta);
+        count = count.saturating_add_signed(delta);
 
         // Fill in new entries.
         for j in idx + 1..next {
@@ -972,7 +974,7 @@ fn apply_lookup(
 
         // And fixup the rest.
         while next < count {
-            match_positions[next] = (match_positions[next] as isize + delta) as _;
+            match_positions[next] = match_positions[next].saturating_add_signed(delta);
             next += 1;
         }
     }