From 552290f60437ceaa5aa299a2db726046c0385f80 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Wed, 8 Mar 2023 10:25:26 -0700
Subject: [PATCH] [gvar] Fix out-of-memory access issue

Fixes https://oss-fuzz.com/testcase-detail/5953342850596864
---
 src/hb-ot-var-gvar-table.hh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/hb-ot-var-gvar-table.hh b/src/hb-ot-var-gvar-table.hh
index 225d29625..7980ffb61 100644
--- a/src/hb-ot-var-gvar-table.hh
+++ b/src/hb-ot-var-gvar-table.hh
@@ -116,7 +116,7 @@ struct gvar
   {
     TRACE_SUBSET (this);
 
-    unsigned glyph_count = c->plan->source->get_num_glyphs ();
+    unsigned glyph_count = version.to_int () ? c->plan->source->get_num_glyphs () : 0;
 
     gvar *out = c->serializer->allocate_min<gvar> ();
     if (unlikely (!out)) return_trace (false);
@@ -222,7 +222,8 @@ struct gvar
     accelerator_t (hb_face_t *face)
     {
       table = hb_sanitize_context_t ().reference_table<gvar> (face);
-      glyphCount = face->get_num_glyphs ();
+      /* If sanitize failed, set glyphCount to 0. */
+      glyphCount = table->version.to_int () ? face->get_num_glyphs () : 0;
     }
     ~accelerator_t () { table.destroy (); }