From 85adf4ad5c76172514f281bfbe3850ef35473cc7 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Wed, 3 Apr 2019 16:06:55 -0700
Subject: [PATCH] [GDEF] Don't assume glyphlist is sorted

As was hit by the fuzzer.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14032
---
 src/hb-ot-layout-common.hh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/hb-ot-layout-common.hh b/src/hb-ot-layout-common.hh
index 1799d4bd8..bb06ddb97 100644
--- a/src/hb-ot-layout-common.hh
+++ b/src/hb-ot-layout-common.hh
@@ -1218,8 +1218,8 @@ struct ClassDefFormat1
       return_trace (true);
     }
 
-    hb_codepoint_t glyph_min = glyphs[0];
-    hb_codepoint_t glyph_max = glyphs[glyphs.length - 1];
+    hb_codepoint_t glyph_min = hb_iter (glyphs) | hb_reduce (hb_min, 0xFFFFu);
+    hb_codepoint_t glyph_max = hb_iter (glyphs) | hb_reduce (hb_max, 0u);
 
     startGlyph = glyph_min;
     classValue.len = glyph_max - glyph_min + 1;
@@ -1510,8 +1510,8 @@ struct ClassDef
     unsigned int format = 2;
     if (likely (glyphs))
     {
-      hb_codepoint_t glyph_min = glyphs[0];
-      hb_codepoint_t glyph_max = glyphs[glyphs.length - 1];
+      hb_codepoint_t glyph_min = +glyphs | hb_reduce (hb_min, 0xFFFFu);
+      hb_codepoint_t glyph_max = +glyphs | hb_reduce (hb_max, 0u);
 
       unsigned int count = glyphs.len ();
       unsigned int num_ranges = 1;