From 94ba4d5a440c599694b0db73ab8e9344d83cb9ef Mon Sep 17 00:00:00 2001
From: Garret Rieger <grieger@google.com>
Date: Tue, 18 Jan 2022 16:35:30 -0800
Subject: [PATCH] [subset] Fix bound check when setting overlap bit.

length() shouldn't be used again as the end of instruction offset is already included in flags_offset.
---
 src/hb-ot-glyf-table.hh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/hb-ot-glyf-table.hh b/src/hb-ot-glyf-table.hh
index 6aa34295c..5018b5ac7 100644
--- a/src/hb-ot-glyf-table.hh
+++ b/src/hb-ot-glyf-table.hh
@@ -595,7 +595,7 @@ struct glyf
         if (unlikely (!header.numberOfContours)) return;
 
         unsigned flags_offset = length (instructions_length ());
-        if (unlikely (length (flags_offset + 1) > bytes.length)) return;
+        if (unlikely (flags_offset + 1 > bytes.length)) return;
 
 	HBUINT8 &first_flag = (HBUINT8 &) StructAtOffset<HBUINT16> (&bytes, flags_offset);
         first_flag = (uint8_t) first_flag | FLAG_OVERLAP_SIMPLE;