From 4cb83967aacf0aaf2622fc55539f04eb9ce2b7a0 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Sat, 23 Jul 2022 10:59:42 -0600
Subject: [PATCH] [subset/ClassDefFormat2] Fix timeout

Fixes https://oss-fuzz.com/testcase-detail/5417800474165248
---
 src/hb-ot-layout-common.hh                       |   3 ++-
 ...e-minimized-hb-subset-fuzzer-5417800474165248 | Bin 0 -> 3161 bytes
 2 files changed, 2 insertions(+), 1 deletion(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5417800474165248

diff --git a/src/hb-ot-layout-common.hh b/src/hb-ot-layout-common.hh
index 7700b3e49..9a4157b21 100644
--- a/src/hb-ot-layout-common.hh
+++ b/src/hb-ot-layout-common.hh
@@ -1716,13 +1716,14 @@ struct ClassDefFormat2_4
     hb_sorted_vector_t<hb_pair_t<hb_codepoint_t, hb_codepoint_t>> glyph_and_klass;
     hb_set_t orig_klasses;
 
+    unsigned num_source_glyphs = c->plan->source->get_num_glyphs ();
     unsigned count = rangeRecord.len;
     for (unsigned i = 0; i < count; i++)
     {
       unsigned klass = rangeRecord[i].value;
       if (!klass) continue;
       hb_codepoint_t start = rangeRecord[i].first;
-      hb_codepoint_t end   = rangeRecord[i].last + 1;
+      hb_codepoint_t end   = hb_min (rangeRecord[i].last + 1, num_source_glyphs);
       for (hb_codepoint_t g = start; g < end; g++)
       {
         hb_codepoint_t new_gid = glyph_map[g];
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5417800474165248 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5417800474165248
new file mode 100644
index 0000000000000000000000000000000000000000..f5f3cff75929bf1ae3b6b09ef7bd92389bee0eed
GIT binary patch
literal 3161
zcmeHJU2IfE6#nMk-DOKlU2FLjq12{GLuqLUf?_Cyq)}Q5-BSJv^s;SP!*08_4W*Jm
zMPt$UV0=N0#Y7%7AsRGjF(^oU6ABLmgHeb<!oQ#~ZK1RszcYKc2x%G!@y&CyGvAy!
zJ9FloGv^ExfK*tpQB}0)&`~_5EL;cD$u3%28az{Q=|w=HRbgFGaQVW_(HJRXYy(P9
z<rRz{vpE+CP#P7Xs1w7Jjz-IX)+wmk=rqPKf*-7`UJp_>Mp|mW$zGp)ORId!PYBmI
z)m9+CoAbrM#M#~98XtlOofN8*r8Txhn-r`?9yNOR+`ubYe{}&nULGY|S?>aAzNoV$
z=3nSp&GA8QV#vCfO#Q4g9L#H|Z)^fm06i^zOKx~WJx3hQ(9$Y?y49AW@I;d^9V+59
z)xi&sETpxP85IgeW8`IE9x{<l#enCoqm>;daG$rKJk(Kaf+TV>*#9TW4X@o(|I#jX
zIPIopVLNn=*0;4jr-h&kO|Mmec9~7}E!2d=PJfXvn1*S8@K|E1aXi>~crGGa#rVC?
z53|09kH%88kHT;K-4MHRNx+Mp<TOETmpNDz^IPz7Mv3iJIeYm$ZZCWw*_G(xsM=UH
z-N<-}Mbg80L0pX^Svd^@x=YK<2+qig(_s1U&QBtjv78VHFjD<S)U;zcYjaImDFy3?
zpdJ(az}mQt?rnSILL_-H(yIposG6Bl8oXSvYUbwLK6;BPR)ki>@J<wag|<qwCw?I&
z@<ROYhllaQ5UzP3mSub!j~1WgALD7z>n1T^Ebs41i5wy8sOc1X`LB3HO5nuf%7Y!q
z!5WT+2%XIM0!lG!JUH#gkLXgL@_I-H4VbXzzOu8|^nxV2s9L!lLuM(?Q!3;{nvBj#
z=HEu;VPpNF?2<Uquy%QL6Szl~PEyGI^tw&DVD<O)b=&q{+fHPB+fKGEOp!Zps*;G2
z0qg~Q`wbV!8#HbqIg+iPml-KTr0iAk-fdah+<DlS)h$|>PLOi2z@H+4!C@L3u{;U|
zPbGNG@bzhv{(w1cK))^<^N3Vp{(tq#l`E~4`W8^fnpP?Ml32~|Fd^lmP0yFa+dfEI
zZ!>AwRJkO*<Bsm3MHBI}M>R?Kv(Qapw@d2`g=gwm+~iD(CsJw*f5wKud|9cGb0ivO
z(7GHFqt))Mw2zq(HX`_d>}1=-ub9HfCz_bkP!lacYBbUk<)g#6j6z~a6?P)ECWOUx
z67)W+kk>#`vmX<w-E{IEXU>qNEm-<8eEcbl)H|g`GvxwC+M-Lwv0UevYhH+j<R&h%
zl#siHN7BDCKd<5YO|_H#S#ET{9^hUw65}nwVOY^fY7_;cznVp!Dp^pRA+_<QHm9-S
zsS4Fk=UViKtiiQq$2Vjda%^hu<r)0Wrf?m;G>?mQVJD{+pT`<%HegY#v8fitrY&RJ
zc(45ucD%1w9QXCv@{wdKp?if6ee%PJoJ+@UbOcME-S<nU)BN4pb4S`cCrzH*8Om?I
zwr_XGPbaEs%3JOnSbc7w`@N6%eRbl(fvr0ARNsdF-+RwD%sq1UCC}eW*1meJwBuOr
zhy90l=bgNn_vY=B9Usk}v#p_RZRYXAo$LSHe7btql+ekaBL(l&f8E@3weE{E$2)o+
zklNbcYCk{fg<n6r@hxwUc*!I`o~2qIXfw>Q*d*d+JF(hS(-4o{0HY%fPtdw?N_SI5
z!VXWn{D<ihj|_>g#2Z4i8hm7omiWByks)rEXNHxW*oyA~U@=FFc_Re#xr<^Kmk^h@
zIF)#bi%W@1UA&Zdsf(8pFAJ~{a(QKhWiAd92VGoFT<+rK#LHb=L0sYD6~rrCypnjO
jizO$naxtISSnc99#A{qEsi;yhyUG<IG2VHhBmv+b;|o1Z

literal 0
HcmV?d00001