For well formed TrueType glyph data, the bounding box should contain all of the nodes. However, malicious data might lead to out-of-bounds nodes, so more bounds checking is necessary for a production quality rasterizer.
Even with well formed data, I suspect (based on my Go port) that the Rust version will panic at a line like
self.a[linestart + (x0i + 1) as usize]
when the glyph being rendered has an on-curve point at the bottom right corner of the rasterization buffer. You should be able to see this with the capital-'I' glyph from a sans-serif font.
For well formed TrueType glyph data, the bounding box should contain all of the nodes. However, malicious data might lead to out-of-bounds nodes, so more bounds checking is necessary for a production quality rasterizer.
Even with well formed data, I suspect (based on my Go port) that the Rust version will panic at a line like
self.a[linestart + (x0i + 1) as usize]
when the glyph being rendered has an on-curve point at the bottom right corner of the rasterization buffer. You should be able to see this with the capital-'I' glyph from a sans-serif font.
In my Go port, I tightened this up in https://github.com/google/font-go/commit/568cda65618dfe210268a93e399db6c9ca409104