From cb4bf85b14afb3761a85e3da130f2844ac94a49d Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Fri, 16 Nov 2018 02:02:24 -0500
Subject: [PATCH] [hdmx] Fix bounds checking

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11351
---
 src/hb-ot-hdmx-table.hh | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/src/hb-ot-hdmx-table.hh b/src/hb-ot-hdmx-table.hh
index 2eed85c0a..0fea24bca 100644
--- a/src/hb-ot-hdmx-table.hh
+++ b/src/hb-ot-hdmx-table.hh
@@ -66,12 +66,9 @@ struct DeviceRecord
       if (unlikely (i >= len ())) return nullptr;
       hb_codepoint_t gid = this->subset_plan->glyphs [i];
 
-      const HBUINT8* width = &(this->source_device_record->widthsZ[gid]);
-
-      if (width < ((const HBUINT8 *) this->source_device_record) + sizeDeviceRecord)
-	return width;
-      else
-	return nullptr;
+      if (gid >= sizeDeviceRecord - DeviceRecord::min_size)
+        return nullptr;
+      return &(this->source_device_record->widthsZ[gid]);
     }
   };
 
@@ -135,6 +132,8 @@ struct hdmx
 
   inline const DeviceRecord& operator [] (unsigned int i) const
   {
+    /* XXX Null(DeviceRecord) is NOT safe as it's num-glyphs lengthed.
+     * https://github.com/harfbuzz/harfbuzz/issues/1300 */
     if (unlikely (i >= numRecords)) return Null (DeviceRecord);
     return StructAtOffset<DeviceRecord> (&this->firstDeviceRecord, i * sizeDeviceRecord);
   }