From b2fcca6e14afc8085cc1c2491b2d7c780dad1450 Mon Sep 17 00:00:00 2001
From: Qunxin Liu <qxliu@google.com>
Date: Thu, 24 Oct 2019 15:15:26 -0700
Subject: [PATCH]  fuzzer crash fix 
 https://oss-fuzz.com/testcase-detail/5643107869917184

---
 src/hb-ot-layout-gsubgpos.hh                     |  11 +++++++----
 ...e-minimized-hb-subset-fuzzer-5643107869917184 | Bin 0 -> 3232 bytes
 2 files changed, 7 insertions(+), 4 deletions(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5643107869917184

diff --git a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh
index 11b5b5f5f..1e3a1a113 100644
--- a/src/hb-ot-layout-gsubgpos.hh
+++ b/src/hb-ot-layout-gsubgpos.hh
@@ -2051,12 +2051,15 @@ struct ChainRule
   {
     TRACE_SUBSET (this);
 
+    const HeadlessArrayOf<HBUINT16> &input = StructAfter<HeadlessArrayOf<HBUINT16>> (backtrack);
+    const ArrayOf<HBUINT16> &lookahead = StructAfter<ArrayOf<HBUINT16>> (input);
+
     if (!backtrack_map)
     {
       const hb_set_t &glyphset = *c->plan->glyphset ();
       if (!hb_all (backtrack, glyphset) ||
-          !hb_all (inputX, glyphset) ||
-          !hb_all (lookaheadX, glyphset))
+          !hb_all (input, glyphset) ||
+          !hb_all (lookahead, glyphset))
         return_trace (false);
 
       copy (c->serializer, c->plan->glyph_map);
@@ -2064,8 +2067,8 @@ struct ChainRule
     else
     {
       if (!hb_all (backtrack, backtrack_map) ||
-          !hb_all (inputX, input_map) ||
-          !hb_all (lookaheadX, lookahead_map))
+          !hb_all (input, input_map) ||
+          !hb_all (lookahead, lookahead_map))
         return_trace (false);
       
       copy (c->serializer, backtrack_map, input_map, lookahead_map);
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5643107869917184 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5643107869917184
new file mode 100644
index 0000000000000000000000000000000000000000..b11bd878451d7c85af7d17667b30fb78fbf1a681
GIT binary patch
literal 3232
zcmeHHTWpj?6#nMlnf7m?6$wE!CN6SmrIi>`(xhUtZI^8b4OR=jV1j?I8@uf`+oe(-
zWC;%@TIo$2Xh3}+SP&H{#zbQZN{l8=z>pAc#D=6ktMO8#cKl|xOLv=)S|3bJJb(Ug
z=FFUP=G<l=0QmnIRn_jQFq(k#ieE3>M$_L>(F-?xCzV!jUwhJD(P>7V=Jb50r1tM*
zJ2RA&bmr<T2QfQOpUtP2E^FqRG#dn#LZD24i)`$GoC4bLA|yHJFTTIZIs;2A0ynW4
zqk2?d=iX>?jg1gU&a{zLaA-|*oj*R7FR_Mv7A?8RK`wBZTPQ~*f~cmP*<Zu4jGvEI
z%DG*MkM*?vQ~$0dHGF0--~etpv|fU(#(<#}THj6EF?10R@yp_(*~`U~_z_NUd-YD_
zN4$6&{E#kpwdQ%CMXhrwB`V8feyjqd7MdvOBcs%Zgo!|*)qAWl2TMKgn>f5k+^fM;
zp0}C?EY&r|yn2K!wnd`#5yYdhhBoXcMv;jAypHqkzV;4uckCthTRg%nkm#mh9u01=
z=$k>tne!;;#ac>tnXvv^3|O4xg|U(jCj5f)Y%F60etw&orwYbqZ0<0X+r(sYZvIa+
zOG@c2%uxhR=`-k^$(Ah#B?hRukrH+KL_Sbw^%QZC{tEWOYLN@SGfl00ysjuL%%T2}
z6Aalb55Lr>C-g0*(PWv`ujJ{u*y+bgyP`Ec(fT*zvwF2L)`k@=2JdSzD-+a6#j>7;
zOI*gXJ2MtjMH7qd)XAc&1=MKoV7HorI)U3;Zn<N6+tPAY(NHSO>oe1wk$Uwqgy>N{
z5UOAG69?5G3WOR`Lu5{?)5LS?9Pxs>Nc>gZBu=TRMlY{J?td5R7oM~>+#26k@~M7;
z*Wh#V#q11EeI-u->n2fzRpuqZJve2(x_zmFwcDzaD~GE&x>do7kQjF=>3T70@n98p
zRcv>?x5?M=uQ2cDbD`L@c|UnozC3&83YtZpItqCSwsF1o-uI7TtwJ92^Id&s+^<Fo
z!$>3^q5Wr@+6P)Y8#e8^YfIu7khikgGZ%vym5D-*ZgZq-aGHfAjTj&`Ozmlz;KMM^
zd1*M@IQ+*^UlDdk?<a4fem>e+Fs5}+fahI^go0Z`dk@|KI=C%vn5a$Ta^Cs$b;Jz4
zwebMs%b;+I(pHmd;44A*l9U=}*k0KOAqV6U;*fle_y+SW<VpD^@swoc<Qe%6@vM9g
zqFa6-M@)-S-9h2F)~c%J@!ALQ!!53CC<C^c^j<zL3Jky8wX$5sLso;3B;Wj$J-<kX
zg#1u`1o6{F$qtj3RM}^8OhS&4xh$^`ugPn~uYp9$2{TGQ0){qPbOdiHUpKyD!g23)
zko7QGOXrh=#gaJ$pSc_hB9lW?iva&rP143T3=a$Epe%jCMV<&82q)`qi@!h^oh$!;
o^JMgmW&UH$v*=oRQC#*pWnIJ%2*ey;=d%B<?|g&OpEroV0B45dnE(I)

literal 0
HcmV?d00001