From c08f1b89037b9a0277b8cef67ff2f38bcf253dfd Mon Sep 17 00:00:00 2001
From: Garret Rieger <grieger@google.com>
Date: Tue, 10 Aug 2021 12:29:32 -0700
Subject: [PATCH] [map] fix incorrect population count in hash map.

If the same key was set twice the population was being incorrectly incremented.
---
 src/hb-map.hh                                 |   2 +-
 test/api/test-map.c                           |  28 ++++++++++++++++++
 ...inimized-hb-subset-fuzzer-5522792714993664 | Bin 0 -> 74 bytes
 3 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5522792714993664

diff --git a/src/hb-map.hh b/src/hb-map.hh
index 5f1d676fe..751cab684 100644
--- a/src/hb-map.hh
+++ b/src/hb-map.hh
@@ -224,7 +224,7 @@ struct hb_hashmap_t
     if (!items[i].is_unused ())
     {
       occupancy--;
-      if (items[i].is_tombstone ())
+      if (!items[i].is_tombstone ())
 	population--;
     }
 
diff --git a/test/api/test-map.c b/test/api/test-map.c
index 0911991b8..02df8b987 100644
--- a/test/api/test-map.c
+++ b/test/api/test-map.c
@@ -104,6 +104,33 @@ test_map_refcount (void)
   /* Now you can't access them anymore */
 }
 
+static void
+test_map_get_population (void)
+{
+  hb_map_t *m = hb_map_create ();
+
+  hb_map_set (m, 12, 21);
+  g_assert_cmpint (hb_map_get_population (m), ==, 1);
+  hb_map_set (m, 78, 87);
+  g_assert_cmpint (hb_map_get_population (m), ==, 2);
+
+  hb_map_set (m, 78, 87);
+  g_assert_cmpint (hb_map_get_population (m), ==, 2);
+  hb_map_set (m, 78, 13);
+  g_assert_cmpint (hb_map_get_population (m), ==, 2);
+
+  hb_map_set (m, 95, 56);
+  g_assert_cmpint (hb_map_get_population (m), ==, 3);
+
+  hb_map_del (m, 78);
+  g_assert_cmpint (hb_map_get_population (m), ==, 2);
+
+  hb_map_del (m, 103);
+  g_assert_cmpint (hb_map_get_population (m), ==, 2);
+
+  hb_map_destroy (m);
+}
+
 int
 main (int argc, char **argv)
 {
@@ -112,6 +139,7 @@ main (int argc, char **argv)
   hb_test_add (test_map_basic);
   hb_test_add (test_map_userdata);
   hb_test_add (test_map_refcount);
+  hb_test_add (test_map_get_population);
 
   return hb_test_run();
 }
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5522792714993664 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5522792714993664
new file mode 100644
index 0000000000000000000000000000000000000000..4f714f348e3181c162e44fdce4d1a10ed813dd6a
GIT binary patch
literal 74
ocmZQzWME)m{{R2K0uq377(^HtkVF-b_z)E!Sr-Kb5a<7Y0R2M_sQ>@~

literal 0
HcmV?d00001