From 4b461785bdf356e4b5586cb6e5b226f47da04b7d Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Tue, 9 Oct 2018 22:46:30 -0400
Subject: [PATCH] Fix check

---
 src/hb-aat-layout-kerx-table.hh | 2 ++
 src/hb-aat-layout.cc            | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/hb-aat-layout-kerx-table.hh b/src/hb-aat-layout-kerx-table.hh
index 42181bf64..c73183473 100644
--- a/src/hb-aat-layout-kerx-table.hh
+++ b/src/hb-aat-layout-kerx-table.hh
@@ -113,6 +113,8 @@ struct KerxSubTableFormat2
     unsigned int r = *(this+rightClassTable).get_value (right, num_glyphs);
     unsigned int offset = l + r;
     const FWORD *arr = &(this+array);
+    if (unlikely ((const void *) arr < (const void *) this || (const void *) arr >= (const void *) end))
+      return 0;
     const FWORD *v = &StructAtOffset<FWORD> (arr, offset);
     if (unlikely ((const void *) v < (const void *) arr || (const void *) (v + 1) > (const void *) end))
       return 0;
diff --git a/src/hb-aat-layout.cc b/src/hb-aat-layout.cc
index 5cd9621f1..71932e798 100644
--- a/src/hb-aat-layout.cc
+++ b/src/hb-aat-layout.cc
@@ -74,7 +74,9 @@ hb_aat_layout_substitute (hb_ot_shape_plan_t *plan,
 }
 
 void
-hb_aat_layout_position (hb_font_t *font, hb_buffer_t *buffer)
+hb_aat_layout_position (hb_ot_shape_plan_t *plan,
+			hb_font_t *font,
+			hb_buffer_t *buffer)
 {
 #if 0
   hb_blob_t *blob;