From 40f2b9355cf827c7b82ea5e55b112ce0032a9abf Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Sun, 14 Oct 2018 14:56:32 -0700
Subject: [PATCH] [kerx] Fix Format1 sanitize

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10948
---
 src/hb-aat-layout-kerx-table.hh | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/hb-aat-layout-kerx-table.hh b/src/hb-aat-layout-kerx-table.hh
index 52923a8da..ae11963a9 100644
--- a/src/hb-aat-layout-kerx-table.hh
+++ b/src/hb-aat-layout-kerx-table.hh
@@ -212,7 +212,9 @@ struct KerxSubTableFormat1
   inline bool sanitize (hb_sanitize_context_t *c) const
   {
     TRACE_SANITIZE (this);
-    return_trace (likely (machine.sanitize (c)));
+    /* The rest of array sanitizations are done at run-time. */
+    return_trace (likely (c->check_struct (this) &&
+			  machine.sanitize (c)));
   }
 
   protected:
@@ -444,11 +446,9 @@ struct KerxSubTableFormat4
   inline bool sanitize (hb_sanitize_context_t *c) const
   {
     TRACE_SANITIZE (this);
-
     /* The rest of array sanitizations are done at run-time. */
-    return_trace (c->check_struct (this) &&
-		  machine.sanitize (c) &&
-		  flags.sanitize (c));
+    return_trace (likely (c->check_struct (this) &&
+			  machine.sanitize (c)));
   }
 
   protected: