From 2aef3013f3e6d71eacd0123f4faa63445034c32b Mon Sep 17 00:00:00 2001
From: Ebrahim Byagowi <ebrahim@gnu.org>
Date: Sat, 24 Aug 2019 02:59:18 +0430
Subject: [PATCH] [subset] Consider instruction length place itself

Now fixes https://crbug.com/oss-fuzz/16639 completely
---
 src/hb-ot-glyf-table.hh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/hb-ot-glyf-table.hh b/src/hb-ot-glyf-table.hh
index 76efdc9b8..ab84fd334 100644
--- a/src/hb-ot-glyf-table.hh
+++ b/src/hb-ot-glyf-table.hh
@@ -541,6 +541,7 @@ struct glyf
       int16_t num_contours = (int16_t) glyph_header.numberOfContours;
       if (num_contours < 0)
       {
+	// composite glyph
 	unsigned int start = glyph.length;
 	unsigned int end = glyph.length;
 	unsigned int glyph_offset = &glyph - glyf_table;
@@ -562,6 +563,7 @@ struct glyf
       }
       else
       {
+	// simple glyph
 	unsigned int instruction_length_offset = GlyphHeader::static_size + 2 * num_contours;
 	if (unlikely (instruction_length_offset + 2 > glyph.length))
 	{
@@ -570,7 +572,7 @@ struct glyf
 	}
 
 	const HBUINT16 &instruction_length = StructAtOffset<HBUINT16> (&glyph, instruction_length_offset);
-	if (unlikely (instruction_length_offset + instruction_length > glyph.length)) // Out of bounds of the current glyph
+	if (unlikely (instruction_length_offset + 2 + instruction_length > glyph.length)) // Out of bounds of the current glyph
 	{
 	  DEBUG_MSG(SUBSET, nullptr, "The instructions array overruns the glyph's boundaries.");
 	  return false;