From 4b4a1b9f235598b04ce9ae1f9670fc978ab7620d Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Wed, 21 Dec 2016 23:10:43 -0600
Subject: [PATCH] Fix assert fail with contextual matching

As discovered by libFuzzer / Chromium fuzzing.

Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=659496
CC https://github.com/behdad/harfbuzz/issues/139
---
 src/hb-ot-layout-gsubgpos-private.hh             |   6 +++++-
 .../217a934cfe15c548b572c203dceb2befdf026462.ttf | Bin 0 -> 1384 bytes
 test/shaping/tests/fuzzed.tests                  |   1 +
 3 files changed, 6 insertions(+), 1 deletion(-)
 create mode 100644 test/shaping/fonts/sha1sum/217a934cfe15c548b572c203dceb2befdf026462.ttf

diff --git a/src/hb-ot-layout-gsubgpos-private.hh b/src/hb-ot-layout-gsubgpos-private.hh
index b90af9ca0..fd75c5425 100644
--- a/src/hb-ot-layout-gsubgpos-private.hh
+++ b/src/hb-ot-layout-gsubgpos-private.hh
@@ -1001,8 +1001,12 @@ static inline bool apply_lookup (hb_apply_context_t *c,
     end = int (end) + delta;
     if (end <= match_positions[idx])
     {
+      /* End might end up being smaller than match_positions[idx] if the recursed
+       * lookup ended up removing many items, more than we have had matched.
+       * Just never rewind end back and get out of here.
+       * https://bugs.chromium.org/p/chromium/issues/detail?id=659496 */
+      end = match_positions[idx];
       /* There can't be any further changes. */
-      assert (end == match_positions[idx]);
       break;
     }
 
diff --git a/test/shaping/fonts/sha1sum/217a934cfe15c548b572c203dceb2befdf026462.ttf b/test/shaping/fonts/sha1sum/217a934cfe15c548b572c203dceb2befdf026462.ttf
new file mode 100644
index 0000000000000000000000000000000000000000..12b91a09f9325bdb1c0c1935e35e5cd4892b04c3
GIT binary patch
literal 1384
zcmb_c%}Z2K6#w1#=KIS*Ow3G18C;lBnrMN9i8%#A#@LsO^ffbn;Cwu0rm)@6s(+v$
zu-4(qrLJoc5z@*;T!cZna1mivLcV_IJ*SVo_i^u>-?_hg?m6e4Gf)5`s6fYLV(8K^
znsA(&9nRLo=+)$i_u?}^MJvEwB6)o<vZ1d6nh*8=4t<FH8>yUOdI}yB&=-jNr;U<n
zS+op&o!B=m7rZQP5q|(&?`ASa+M7Q6ky}gL@13C{xS?(mZxhF7a^?A!MN0$xA>xi~
zA!T@*eS^g3h#PXoyh-0jh)0QIc_Wu`H3feV(+6BO3#GEvjwi&+vX7sZWr-yjn)n45
z6x{rDco3k>P&osL1uj4tMdL1f<Zv(!`oUc-b+1@LBxe-o&_In?q1Ik?asxPnTX;yl
zkNN@52zTqb-$YM@>46_gJw_+jU8Kn*w%Ni2vNl_o!_?~9mRhno?mrx{CiaBm=Z*AY
zdl$;uu@)GMI<yu-Eu{v;xdy2hu7@%XSMfVdA6B$q)H!j-F%C5}JTk_+s&UJ&+{EZo
zMz)N`soA`N_-uZ*jP_h6J<EtC4;oLnZEiJ>&N(mo(2gi(I2Z92?uwsm$&Sn~oaD=*
zqme2nm9iC}T+0CDaz*2kItfq0a8gDygGX2ma?RgrFpHTfCo3@=O*KeR^2R=9$*Dcb
zs=Q#7SaMf=eW^%4v`s2voZ4%i{J&3YR0}oIr*(<Z-sF1U=PS-5;*Rtwj!9i8IURy^
zy8CwL{Z8U6`F5Y;gfT(<ig;4`6kdMN;``)JXCF+hv`qwwySU#deX2#f_K4YQ19qQ=
zmOV*gZ0m^6vroNCc!O{11^GVdQ-mo&TLNl5cApNq#)<7dls?ry1?iu*PEx=5s8p78
zz|!l8V{}`*mJy=NucF(!0GiRkAdGUJIjq*Fu+?0qC^|~^blI|81b4419DPo0D^JJ^
z)N!`4)LQu)0V?w9_P>F$4k*xoH+OIn2yfYMl;+Vf^ZVNVwQv!tK;(>5ENHq{Dz9#S
eT?1+gPkDK>ySuBWucx=?yxWzgLVq7~*uMdwCB;|(

literal 0
HcmV?d00001

diff --git a/test/shaping/tests/fuzzed.tests b/test/shaping/tests/fuzzed.tests
index 7a5d395a9..771ac2b45 100644
--- a/test/shaping/tests/fuzzed.tests
+++ b/test/shaping/tests/fuzzed.tests
@@ -9,3 +9,4 @@ fonts/sha1sum/43979b90b2dd929723cf4fe1715990bcb9c9a56b.ttf:--font-funcs=ot:U+004
 fonts/sha1sum/3511ff5c1647150595846ac414c595cccac34f18.ttf:--font-funcs=ot:U+0041:[gid0=0+1000|gid512=0+1000|gid15104=0+1000|gid11004=0+1000|gid3408=0+1000|gid18244=0+1000|gid17872=0+1000|gid17961=0+1000|gid0=0+1000|gid992=0+1000|gid15616=0+1000|gid0=0+1000|gid14151=0+1000|gid20559=0+1000|gid20992=0+1000|gid5440=0+1000|gid256=0+1000|gid0=0+1000|gid10=0+1000|gid8960=0+1000|gid256=0+1000|gid1024=0+1000|gid1490=0+1000|gid0=0+1000|gid768=0+1000|gid4096=0+1000|gid256=0+1000|gid2216=0+1000|gid0=0+1000|gid256=0+1000|gid256=0+1000|gid0=0+1000|gid768=0+1000|gid10752=0+1000|gid11004=0+1000|gid3408=0+1000|gid18244=0+1000|gid17734=0+1000|gid53248=0+1000|gid256=0+1000|gid0=0+1000|gid512=0+1000|gid14848=0+1000|gid10793=0+1000|gid57344=0+1000|gid768=0+1000|gid18227=0+1000|gid20285=0+1000|gid20480=0+1000|gid0=0+1000|gid256=0+1000|gid0=0+1000|gid810=0+1000|gid0=0+1000|gid11004=0+1000|gid3408=0+1000|gid18244=0+1000|gid17734=0+1000|gid53289=0+1000|gid57344=0+1000|gid768=0+1000|gid15667=0+1000|gid71=0+1000|gid0=0+1000|gid20559=0+1000|gid21248=0+1000|gid256=0+1000|gid0=0+1000|gid2816=0+1000|gid2776=0+1000|gid0=0+1000|gid51516=0+1000|gid0=0+1000|gid32=0+1000|gid26209=0+1000|gid28005=0+1000|gid65249=0+1000|gid29690=0+1000|gid0=0+1000|gid51548=0+1000|gid0=0+1000|gid2454=0+1000|gid28783=0+1000|gid29556=0+1000|gid1291=0+1000|gid3458=0+1000|gid80=0+1000|gid0=0+1000|gid2804=0+1000|gid210=0+1000|gid28786=0+1000|gid25968=0+1000|gid45763=0+1000|gid50546=0+1000|gid0=0+1000|gid59136=0+1000|gid0=0+1000|gid38144=0+1000|gid256=0+1000|gid0=0+1000|gid2560=0+1000|gid30208=0+1000|gid52224=0+1000|gid580=0+1000|gid17996=0+1000|gid21504=0+1000|gid6734=0+1000|gid108=0+1000|gid116=0+1000|gid24846=0+1000|gid1024=0+1000|gid0=0+1000|gid255=0+1000|gid65280=0+1000|gid256=0+1000|gid0=0+1000|gid8704=0+1000|gid1345=0+1000|gid23109=0+1000|gid8192=0+1000|gid10823=0+1000|gid21076=0+1000|gid8192=0+1000|gid12877=0+1000|gid20300=0+1000|gid8192=0+1000|gid6738=0+1000|gid20301=0+1000|gid8192=0+1000|gid16980=0+1000|gid21067=0+1000|gid8251=0+1000|gid18944=0+1000|gid255=0+1000|gid65280=0+1000|gid15360=0+1000|gid256=0+1000|gid255=0+1000|gid65280=0+1000|gid256=0+1000|gid768=0+1000|gid255=0+1000|gid65280=0+1000|gid256=0+1000|gid768=0+1000|gid255=0+1000|gid65280=0+1000|gid256=0+1000|gid1024=0+1000|gid12=0+1000|gid65280=0+1000|gid256=0+1000|gid1280=0+1000|gid255=0+1000|gid65280=0+1000|gid256=0+1000|gid1536=0+1000|gid1899=0+1000|gid25970=0+1000|gid110=0+1000|gid11264=0+1000|gid27502=0+1000|gid29285=0+1000|gid12907=0+1000|gid25974=0+1000|gid28160=0+1000|gid14443=0+1000|gid25970=0+1000|gid28288=0+1000|gid3=0+1000|gid118=0+1000|gid18259=0+1000|gid21826=0+1000|gid45716=0+1000|gid46369=0+1000|gid0=0+1000|gid0=0+1000|gid1=0+1000|gid16=0+1000|gid17=0+1000|gid256=0+1000|gid4=0+1000|gid16=0+1000|gid18244=0+1000|gid17734=0+1000|gid28=0+1000|gid12=0+1000|gid0=0+1000|gid284=0+1000|gid0=0+1000|gid28=0+1000|gid18256=0+1000|gid20307=0+1000|gid45114=0+1000|gid47616=0+1000|gid226=0+1000|gid10296=0+1000|gid0=0+1000|gid57927=0+1000|gid1=0+1000|gid0=0+1000|gid0=0+1000|gid21248=0+1000|gid5440=0+1000|gid256=0+1000|gid0=0+1000|gid10=0+1000|gid768=0+1000|gid256=0+1000|gid1024=0+1000|gid512=0+1000|gid0=0+1000|gid297=0+1000|gid16=0+1000|gid24833=0+1000|gid28774=0+1000|gid10794=0+1000|gid2304=0+1000|gid29=0+1000|gid32=0+1000|gid42=0+1000|gid64515=0+1000|gid42=0+1000|gid42=0+1000|gid64525=0+1000|gid20551=0+1000|gid17477=0+1000|gid18128=0+1000|gid10720=0+1000|gid3=0+1000|gid61=0+1000|gid3408=0+1000|gid18244=0+1000|gid17734=0+1000|gid53289=0+1000|gid57344=0+1000|gid768=0+1000|gid15616=0+1000|gid512=0+1000|gid55=0+1000|gid10576=0+1000|gid20307=0+1000|gid0=0+1000|gid255=0+1000|gid56063=0+1000|gid53504=0+1000|gid42=0+1000|gid42=0+1000|gid64525=0+1000|gid12288=0+1000|gid18176=0+1000|gid80=0+1000|gid20307=0+1000|gid1=0+1000|gid0=0+1000|gid62=0+1000]
 fonts/sha1sum/fab39d60d758cb586db5a504f218442cd1395725.ttf:--font-funcs=ot:U+0041,U+0041:[gid0=0+1000|gid0=1+1000]
 fonts/sha1sum/205edd09bd3d141cc9580f650109556cc28b22cb.ttf:--font-funcs=ot:U+0041:[gid0=0+1000]
+fonts/sha1sum/217a934cfe15c548b572c203dceb2befdf026462.ttf:--font-funcs=ot:U+0061,U+0061,U+0061:[]