From 63ef0b41dc48d6112d1918c1b1de9de8ea90adb5 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Thu, 15 Oct 2015 12:47:22 -0300
Subject: [PATCH] [ot-font] Fix hmtx wrong table length check

Discovered by libFuzzer.  Ouch!

https://github.com/behdad/harfbuzz/issues/139#issuecomment-148289957
---
 src/hb-ot-font.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/hb-ot-font.cc b/src/hb-ot-font.cc
index 3102784e2..69d2503ab 100644
--- a/src/hb-ot-font.cc
+++ b/src/hb-ot-font.cc
@@ -59,7 +59,7 @@ struct hb_ot_face_metrics_accelerator_t
 
     this->blob = OT::Sanitizer<OT::_mtx>::sanitize (face->reference_table (_mtx_tag));
     if (unlikely (!this->num_advances ||
-		  2 * (this->num_advances + this->num_metrics) < hb_blob_get_length (this->blob)))
+		  2 * (this->num_advances + this->num_metrics) > hb_blob_get_length (this->blob)))
     {
       this->num_metrics = this->num_advances = 0;
       hb_blob_destroy (this->blob);