From 50fb02a219dbf168d300c4ccf9f29aee38a78e6c Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Sun, 28 Oct 2018 15:33:12 -0700
Subject: [PATCH] [sbix] Check glyph id before looking into unsafe array

That 'Z' at end of imageOffsetsZ is a reminder that you should check...
---
 src/hb-ot-color-sbix-table.hh | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/hb-ot-color-sbix-table.hh b/src/hb-ot-color-sbix-table.hh
index 9a124a6e6..49320785c 100644
--- a/src/hb-ot-color-sbix-table.hh
+++ b/src/hb-ot-color-sbix-table.hh
@@ -92,8 +92,9 @@ struct SBIXStrike
     unsigned int strike_offset = (const char *) this - (const char *) sbix_blob->data;
 
   retry:
-    if (imageOffsetsZ[glyph_id + 1] < imageOffsetsZ[glyph_id] ||
-	imageOffsetsZ[glyph_id + 1] - imageOffsetsZ[glyph_id] <= SBIXGlyph::min_size)
+    if (unlikely (glyph_id >= num_glyphs ||
+		  imageOffsetsZ[glyph_id + 1] < imageOffsetsZ[glyph_id] ||
+		  imageOffsetsZ[glyph_id + 1] - imageOffsetsZ[glyph_id] <= SBIXGlyph::min_size))
       return hb_blob_get_empty ();
 
     if (strike_offset + (unsigned int) imageOffsetsZ[glyph_id] + SBIXGlyph::min_size > sbix_len)
@@ -106,7 +107,7 @@ struct SBIXStrike
       if (calculate_blob_size (glyph_id) >= 2)
       {
 	glyph_id = *((HBUINT16 *) &glyph->data);
-	if (glyph_id < num_glyphs && retry_count--)
+	if (retry_count--)
 	  goto retry;
       }
       return hb_blob_get_empty ();