From ddb84dcece8a12a5615cb1609030a52387bd2fce Mon Sep 17 00:00:00 2001
From: Michiharu Ariza <ariza@adobe.com>
Date: Fri, 29 Mar 2019 10:32:42 -0700
Subject: [PATCH] fix gvar fuzz bug

---
 .gitignore                  | 1 +
 src/hb-ot-var-gvar-table.hh | 8 +++++++-
 2 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 .gitignore

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 000000000..da127e065
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+libtool
diff --git a/src/hb-ot-var-gvar-table.hh b/src/hb-ot-var-gvar-table.hh
index 354edf99f..9def7a3c2 100644
--- a/src/hb-ot-var-gvar-table.hh
+++ b/src/hb-ot-var-gvar-table.hh
@@ -511,7 +511,13 @@ struct gvar
   }
 
   unsigned int get_glyph_var_data_length (unsigned int glyph) const
-  { return get_offset (glyph+1) - get_offset (glyph); }
+  {
+    unsigned int end_offset = get_offset (glyph+1);
+    unsigned int start_offset = get_offset (glyph);
+    if (unlikely (start_offset > end_offset || end_offset > get_offset(glyphCount)))
+      return 0;
+    return end_offset - start_offset;
+  }
 
   const HBUINT32 *get_long_offset_array () const { return (const HBUINT32 *)&offsetZ; }
   const HBUINT16 *get_short_offset_array () const { return (const HBUINT16 *)&offsetZ; }