From a21a9bb855de199bacb80a15049340d818edcd41 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Sun, 26 Jun 2022 17:24:29 -0600
Subject: [PATCH] [glyf] Optimize flags decoding byte range checking

---
 src/OT/glyf/SimpleGlyph.hh | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/OT/glyf/SimpleGlyph.hh b/src/OT/glyf/SimpleGlyph.hh
index 23bcb0b70..a68b84b99 100644
--- a/src/OT/glyf/SimpleGlyph.hh
+++ b/src/OT/glyf/SimpleGlyph.hh
@@ -173,15 +173,17 @@ struct SimpleGlyph
     const HBUINT8 *p = &StructAtOffset<HBUINT8> (&endPtsOfContours[num_contours + 1],
 						 endPtsOfContours[num_contours]);
 
+    const HBUINT8 *end = (const HBUINT8 *) (bytes.arrayZ + bytes.length);
+
     /* Read flags */
     for (unsigned int i = 0; i < num_points;)
     {
-      if (unlikely (!bytes.check_range (p))) return false;
+      if (unlikely (p + 1 > end)) return false;
       uint8_t flag = *p++;
       points_[i++].flag = flag;
       if (flag & FLAG_REPEAT)
       {
-	if (unlikely (!bytes.check_range (p))) return false;
+	if (unlikely (p + 1 > end)) return false;
 	unsigned int repeat_count = *p++;
 	unsigned stop = hb_min (i + repeat_count, num_points);
 	for (; i < stop;)