From dc03a993d0f2b6db7c5cfb11eaa6e8a4f6f274e6 Mon Sep 17 00:00:00 2001
From: Ebrahim Byagowi <ebrahim@gnu.org>
Date: Sun, 12 Jan 2020 14:21:29 +0330
Subject: [PATCH] Fix collect lookups logic of FeatureTableSubstitution (#2097)

https://crbug.com/oss-fuzz/20036
---
 src/hb-ot-layout-common.hh                       |   6 +++---
 ...e-minimized-hb-subset-fuzzer-5715299773186048 | Bin 0 -> 6717 bytes
 2 files changed, 3 insertions(+), 3 deletions(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5715299773186048

diff --git a/src/hb-ot-layout-common.hh b/src/hb-ot-layout-common.hh
index af394b5b7..fec8f1ec5 100644
--- a/src/hb-ot-layout-common.hh
+++ b/src/hb-ot-layout-common.hh
@@ -2299,9 +2299,9 @@ struct FeatureTableSubstitutionRecord
 {
   friend struct FeatureTableSubstitution;
 
-  void collect_lookups (hb_set_t *lookup_indexes /* OUT */) const
+  void collect_lookups (const void *base, hb_set_t *lookup_indexes /* OUT */) const
   {
-    return (this+feature).add_lookup_indexes_to (lookup_indexes);
+    return (base+feature).add_lookup_indexes_to (lookup_indexes);
   }
 
   bool sanitize (hb_sanitize_context_t *c, const void *base) const
@@ -2338,7 +2338,7 @@ struct FeatureTableSubstitution
     | hb_filter (feature_indexes, &FeatureTableSubstitutionRecord::featureIndex)
     | hb_apply ([=] (const FeatureTableSubstitutionRecord& r)
                 {
-                  r.collect_lookups (lookup_indexes);
+                  r.collect_lookups (this, lookup_indexes);
                 })
     ;
   }
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5715299773186048 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5715299773186048
new file mode 100644
index 0000000000000000000000000000000000000000..b7a37214a8c1ab2a0d17898d71f1002c15170165
GIT binary patch
literal 6717
zcmeGgO;1xnaJHqTE#*;2NTZ28`2!Tc5>J4ocp$+Ph$fI2gC0z@HGs6BX(XlCvTZ1&
z&jJmp2a_fy9>k*_xcLK&a*@P%Fx)tJs7ViXX1A}_k46p{`{3<s=grK{?%SE&otfRi
z;o(7OgGXS7d%ZnFecY3I3E+AL02eR$d|hAspI;;W3Bcy<_xAbr7K7&ij-AB%K>wA&
zp+Zx^i*yDUa!mLK=n!}ZVytWvcsLAW+dE~dyh(sDhN9(<S4RY8W=;5hLO9l0m=)n-
zg=%It?DtxQvNH#;R;B=$cahbFf^E!Ip|ES#j$8$(JMkge3?aiufwOQK@o6x5eFMXw
z+_^Cofa5|M%4IQ9YAJCBritl^04NfQK1f3=wjf;@kZxAd4rOb3h-(jZN76V(@CeLG
z@avfh|2K<?mH=omtq4V=#WWT(|E#mLxKs2$fMc<2!FEa$-hx_6a=W3s%9Xg3AzTy-
zLek1CtV0?&;1mp;26#;Mf3w`=?b%zPNT{FL$iK?lN-5Rud3xcx)6ShO@57^$!O^7K
zQS_HgrSqIX(%tfQEi`^VIG&6qcr@j9I*Wd_TFqme$B@~I<};J2s%1Zubhzz{>xoK@
ze_%k{7*{xJKWI~mPia7|ak(cX-iYhHR~s&Qk4E-B2kWmjt@pD*G+FW1$E?=Gm&Tq|
zBc@QC`&SWO<U=+7PORWYiOpjlWOjyw(o?4NBY0SNu`@9<x2z^z7Vq;n`A8_~;uc=&
zOl_#KIb@P%jM<ALCjgqG9ijZU2f1u6oqLzd<~Q@{6`o#MnCA=gky##@jmLRBUfAS?
zO@XDCczQ`-*;Srh6<8v{6A95`Im7WsWzB6ZJyd6=IR2=l+|Br%yBjaoGpjr6>i<tK
z#G2E9KD?(96LG$b%-%R>{qcmV&vO>WSSrRjpw2DCk@k5#m33kGym~%QZXU`fDO)q{
omh^Sg_v<;}ke+&vv=7r_o8iOi`7q;tT!;7L)x1skuw7u^0T9tYBLDyZ

literal 0
HcmV?d00001