From 64fa5cd482d0be2e215998aa1c2a05b978133e7c Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Tue, 7 Feb 2023 15:50:36 -0700
Subject: [PATCH] [GPOS] Fix assert fail introduced recently

Was introduced in 8708b9e081192786c027bb7f5f23d76dbe5c19e8.

If these lookups are recursed to from (Chain)Context out-of-order,
it was possible that last_base > buffer->idx, in which case we
were attaching marks to a base after them... and an assertion
was failing fortunately.

Fixes https://oss-fuzz.com/testcase-detail/6377756666757120
---
 src/OT/Layout/GPOS/MarkBasePosFormat1.hh          |   5 +++++
 src/OT/Layout/GPOS/MarkLigPosFormat1.hh           |   5 +++++
 ...ase-minimized-hb-shape-fuzzer-6377756666757120 | Bin 0 -> 607 bytes
 3 files changed, 10 insertions(+)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-6377756666757120

diff --git a/src/OT/Layout/GPOS/MarkBasePosFormat1.hh b/src/OT/Layout/GPOS/MarkBasePosFormat1.hh
index 73839a4c8..938369a50 100644
--- a/src/OT/Layout/GPOS/MarkBasePosFormat1.hh
+++ b/src/OT/Layout/GPOS/MarkBasePosFormat1.hh
@@ -122,6 +122,11 @@ struct MarkBasePosFormat1_2
     hb_ot_apply_context_t::skipping_iterator_t &skippy_iter = c->iter_input;
     skippy_iter.set_lookup_props (LookupFlag::IgnoreMarks);
 
+    if (c->last_base_until > buffer->idx)
+    {
+      c->last_base_until = 0;
+      c->last_base = -1;
+    }
     unsigned j;
     for (j = buffer->idx; j > c->last_base_until; j--)
     {
diff --git a/src/OT/Layout/GPOS/MarkLigPosFormat1.hh b/src/OT/Layout/GPOS/MarkLigPosFormat1.hh
index 447187102..7e7b438aa 100644
--- a/src/OT/Layout/GPOS/MarkLigPosFormat1.hh
+++ b/src/OT/Layout/GPOS/MarkLigPosFormat1.hh
@@ -104,6 +104,11 @@ struct MarkLigPosFormat1_2
     hb_ot_apply_context_t::skipping_iterator_t &skippy_iter = c->iter_input;
     skippy_iter.set_lookup_props (LookupFlag::IgnoreMarks);
 
+    if (c->last_base_until > buffer->idx)
+    {
+      c->last_base_until = 0;
+      c->last_base = -1;
+    }
     unsigned j;
     for (j = buffer->idx; j > c->last_base_until; j--)
     {
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-6377756666757120 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-6377756666757120
new file mode 100644
index 0000000000000000000000000000000000000000..718e169a787806a211ccd6631bd6f4e09a0e24c0
GIT binary patch
literal 607
zcmaJ;O-lk%6g_Vo9SZ}oC=0S8Dlnz|0oD*fixvs)qD4WA7JU#%TZcC7+6O`Z!Ckvr
z<-S!!AS4kfNhX+K-p(6cNKto~nfvZN=YE_A1;9v}p{C?kQfuk+uS-88Be5CiOfLrb
zsNJp1KKwj+FpC&Hi&+x}Jp=EO1m+2jz)^2Vz;;?9@V=H1EP=qok5EqMz#LFTl%y!>
zQTTYK{jNBtphO!x)}(r;2vz7ur7R@-AlP%6tK)h44h%2HoLCw{ouge7Y7?dxuvx(U
z3yz0Xfv1Ceu5}w>)1IA$6LkdJlosO+i0RgJIexvK)PF1;VYJBD6uJ_YW@Y&*q#nH$
zku1FIZeS4RX9AnuY6MlGqXr9THG&;A8uUFIl0n|{{1Qjp;Lr+T17>~k594y7(;$W7
z@Qwxd!orkd+hTx3eqBhd4bk-!`VgjI4`N>_Vu}}XR-R@U>gInVqUv7A*ytq71_J5z
VOj|DLXzhb7O<fAh9j%|x{07mTkQV>|

literal 0
HcmV?d00001