From 794b00db4b63e8314aee96c23a20ecb878452eef Mon Sep 17 00:00:00 2001
From: Qunxin Liu <qxliu@google.com>
Date: Mon, 27 Sep 2021 17:21:16 -0700
Subject: [PATCH] [subset] fuzzer fix:
 https://oss-fuzz.com/testcase-detail/6616166961905664

---
 src/hb-ot-math-table.hh                           |   8 ++++++--
 ...se-minimized-hb-subset-fuzzer-6616166961905664 | Bin 0 -> 919 bytes
 2 files changed, 6 insertions(+), 2 deletions(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-6616166961905664

diff --git a/src/hb-ot-math-table.hh b/src/hb-ot-math-table.hh
index f9c5a83ae..c2e365dbd 100644
--- a/src/hb-ot-math-table.hh
+++ b/src/hb-ot-math-table.hh
@@ -836,12 +836,16 @@ struct MathVariants
   void collect_coverage_and_indices (hb_sorted_vector_t<hb_codepoint_t>& new_coverage,
                                      const Offset16To<Coverage>& coverage,
                                      unsigned i,
+                                     unsigned end_index,
                                      hb_set_t& indices,
                                      const hb_set_t& glyphset,
                                      const hb_map_t& glyph_map) const
   {
+    if (!coverage) return;
+
     for (const auto _ : (this+coverage).iter ())
     {
+      if (i >= end_index) return;
       if (glyphset.has (_))
       {
         unsigned new_gid = glyph_map.get (_);
@@ -866,8 +870,8 @@ struct MathVariants
     hb_sorted_vector_t<hb_codepoint_t> new_vert_coverage;
     hb_sorted_vector_t<hb_codepoint_t> new_hori_coverage;
     hb_set_t indices;
-    collect_coverage_and_indices (new_vert_coverage, vertGlyphCoverage, 0, indices, glyphset, glyph_map);
-    collect_coverage_and_indices (new_hori_coverage, horizGlyphCoverage, vertGlyphCount, indices, glyphset, glyph_map);
+    collect_coverage_and_indices (new_vert_coverage, vertGlyphCoverage, 0, vertGlyphCount, indices, glyphset, glyph_map);
+    collect_coverage_and_indices (new_hori_coverage, horizGlyphCoverage, vertGlyphCount, vertGlyphCount + horizGlyphCount, indices, glyphset, glyph_map);
     
     if (!c->serializer->check_assign (out->vertGlyphCount, new_vert_coverage.length, HB_SERIALIZE_ERROR_INT_OVERFLOW))
       return_trace (false);
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-6616166961905664 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-6616166961905664
new file mode 100644
index 0000000000000000000000000000000000000000..35b6479f091d93a9af0efe85ba42bb9cfe60c5e9
GIT binary patch
literal 919
zcmdr}F%Ezr3_NuA4SdDT#mxuk156zKeQkjX0S!(JUQ&)L*R-TC00wLO)fSk?Ws)R2
zP&|G}?Av*WP3leXcf>l}g(ZkM$$&dOi(hmaEFBP;^sfH!bl0iQ*f(@Z?yitYBC-;d
kVOW(lPCC`B+`ejQZ1~MU$w%Ubsl~!!&~e~tbFT}(0IWKyIRF3v

literal 0
HcmV?d00001