From adca4ce071d12998deea6bb53b223daa3aa163c5 Mon Sep 17 00:00:00 2001
From: Garret Rieger <grieger@google.com>
Date: Tue, 30 Mar 2021 13:20:50 -0700
Subject: [PATCH] [subset] fixes
 https://oss-fuzz.com/testcase-detail/6173520787800064.

Caused by incorrect bounds check in glyph closure for context lookups.
---
 src/hb-ot-layout-gsubgpos.hh                     |   2 +-
 ...e-minimized-hb-subset-fuzzer-6173520787800064 | Bin 0 -> 1731 bytes
 2 files changed, 1 insertion(+), 1 deletion(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-6173520787800064

diff --git a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh
index 33b78b1fb..796a29d0b 100644
--- a/src/hb-ot-layout-gsubgpos.hh
+++ b/src/hb-ot-layout-gsubgpos.hh
@@ -1248,7 +1248,7 @@ static void context_closure_recurse_lookups (hb_closure_context_t *c,
   for (unsigned int i = 0; i < lookupCount; i++)
   {
     unsigned seqIndex = lookupRecord[i].sequenceIndex;
-    if (seqIndex > inputCount) continue;
+    if (seqIndex >= inputCount) continue;
 
     hb_set_t *pos_glyphs = hb_set_create ();
 
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-6173520787800064 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-6173520787800064
new file mode 100644
index 0000000000000000000000000000000000000000..035dd72f15453a20607063c63472db3010fa9e77
GIT binary patch
literal 1731
zcmeHHL2DC16#iziO}BAttwawB5{l@injRyls1!AbLJC1p52izH+G5-+ZIO6VZ-OU1
z^pHc(9($4s-V_mkL4QGm5WFQqs~Nwy$=afL5l_<Do!Nc!-n^Oj&3hjdfc<!a1f~m@
zuUxew(AIvlg?AaGTgB4GndUWsMqS)3lx|Mq5K<z0z;v<narAcXVXjgODkd}wp)nzj
znlkn8flhhOEY&f{=d3=?UA(#Kqsp5T<$Zw8RZLI|O>j?F@*T=IsL#*O&l+z%S)y$F
ztv<MhPn2I#?^bIw2E+JDd5v=N!Aw2ensn|^UZ;F=W%Xs-YBV-G-!~|q4{J-y_9^6i
z0neAgHZ;5suw1~1RQ~}ZI)>9wRkIwxg~PS579;$q`?HHO2ego+-4|+y*d2OGbM$Zo
zWAvl>00;ReFNkJu4;l-!y{2{`mNOBrw}mM}oNrD*May~+kBg5OZ~rgx7Wdqiv0A9z
zFlAO&Uo`Y)8@3Nq0xHYXZd+tiiAxgwYutj50X*Z;U3P^DXnmNPi%Kpg3a1~Ht7sZQ
zrnV$_7dnFrP<y$wmrMUDm(1d4W|odJ5ooYFqH2*e?ES~Z(kG{1iZQm?U7+z?OlqT%
ztKW-QNJ7Yh9~uA56p>oBZMLZ(RSlI8ZwE*ZV1<x{hX0c=f(73=&&QCuE_Wg!j&oEf
zauivb%$#HQ1(wGxnPOACL1B}KRZoFj!b#WfijEvBG&{uJrHK<6b4lx`kOb*B<<Ly{
KSG>t~Y5V}3*+A6*

literal 0
HcmV?d00001