From 91176d5b778b44172591e82ba84127e5eff1372d Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Thu, 2 May 2019 15:12:07 -0700
Subject: [PATCH] [serialize] Check offset base is within (possibly end of)
 object

---
 src/hb-serialize.hh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/hb-serialize.hh b/src/hb-serialize.hh
index 9fa0658b9..e7c6445d4 100644
--- a/src/hb-serialize.hh
+++ b/src/hb-serialize.hh
@@ -295,6 +295,7 @@ struct hb_serialize_context_t
       {
         const object_t::link_t &link = *link_it;
 	const object_t &child = *packed[link.objidx];
+	assert (link.bias <= parent.tail - parent.head);
 	unsigned offset = (child.head - parent.head) - link.bias;
 
 	if (link.is_wide)