[ot-shape] Don't verify buffer if shaping failed

Fixes all of fuzzing verify failures, which were result of buffer failure
on super-long results, which fails unsafe-to-break because shorter strings
don't fail shaping.

src/hb-buffer.cc

@@ -289,6 +289,7 @@ hb_buffer_t::clear ()
   props = default_props;
 
   successful = true;
+  shaping_failed = false;
   have_output = false;
   have_positions = false;
 
@@ -623,6 +624,7 @@ DEFINE_NULL_INSTANCE (hb_buffer_t) =
   HB_SEGMENT_PROPERTIES_DEFAULT,
 
   false, /* successful */
+  true, /* shaping_failed */
   false, /* have_output */
   true  /* have_positions */
 

src/hb-buffer.hh

@@ -106,6 +106,7 @@ struct hb_buffer_t
   hb_segment_properties_t props; /* Script, language, direction */
 
   bool successful; /* Allocations successful */
+  bool shaping_failed; /* Shaping failure */
   bool have_output; /* Whether we have an output buffer going on */
   bool have_positions; /* Whether we have positions */
 

src/hb-ot-layout-gsubgpos.hh

@@ -609,7 +609,10 @@ struct hb_ot_apply_context_t :
   return_t recurse (unsigned int sub_lookup_index)
   {
     if (unlikely (nesting_level_left == 0 || !recurse_func || buffer->max_ops-- <= 0))
+    {
+      buffer->shaping_failed = true;
       return default_return_value ();
+    }
 
     nesting_level_left--;
     bool ret = recurse_func (this, sub_lookup_index);

src/hb-shape.cc

@@ -137,12 +137,14 @@ hb_shape_full (hb_font_t          *font,
 							      features, num_features,
 							      font->coords, font->num_coords,
 							      shaper_list);
+  buffer->shaping_failed = false;
   hb_bool_t res = hb_shape_plan_execute (shape_plan, font, buffer, features, num_features);
   hb_shape_plan_destroy (shape_plan);
 
   if (text_buffer)
   {
-    if (res && !buffer->verify (text_buffer,
+    if (res && buffer->successful && !buffer->shaping_failed &&
+	       !buffer->verify (text_buffer,
 				font,
 				features,
 				num_features,