From 0589787ff55bff9bd5849c4443229e926cc574a5 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Sat, 3 Nov 2018 14:58:54 -0400
Subject: [PATCH] [kern] Fix access violation in Format3

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11245
---
 src/hb-ot-kern-table.hh | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/hb-ot-kern-table.hh b/src/hb-ot-kern-table.hh
index 9f8a0115c..28ea9526d 100644
--- a/src/hb-ot-kern-table.hh
+++ b/src/hb-ot-kern-table.hh
@@ -417,7 +417,11 @@ struct KernSubTableFormat3
     hb_array_t<const HBUINT8> rightClass = StructAfter<const UnsizedArrayOf<HBUINT8> > (leftClass).as_array (glyphCount);
     hb_array_t<const HBUINT8> kernIndex = StructAfter<const UnsizedArrayOf<HBUINT8> > (rightClass).as_array (leftClassCount * rightClassCount);
 
-    unsigned int i = leftClass[left] * rightClassCount + rightClass[right];
+    unsigned int leftC = leftClass[left];
+    unsigned int rightC = rightClass[right];
+    if (unlikely (leftC >= leftClassCount || rightC >= rightClassCount))
+      return 0;
+    unsigned int i = leftC * rightClassCount + rightC;
     return kernValue[kernIndex[i]];
   }