From de6e414c565de5f27b9da8c7b8b11f88659a4c42 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Sat, 13 Oct 2018 13:48:22 -0400
Subject: [PATCH] [kerx] Sanitize more

---
 src/hb-aat-layout-kerx-table.hh | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/hb-aat-layout-kerx-table.hh b/src/hb-aat-layout-kerx-table.hh
index 95dd50ddd..52923a8da 100644
--- a/src/hb-aat-layout-kerx-table.hh
+++ b/src/hb-aat-layout-kerx-table.hh
@@ -256,7 +256,8 @@ struct KerxSubTableFormat2
     TRACE_SANITIZE (this);
     return_trace (likely (rowWidth.sanitize (c) &&
 			  leftClassTable.sanitize (c, this) &&
-			  rightClassTable.sanitize (c, this)));
+			  rightClassTable.sanitize (c, this) &&
+			  c->check_range (this, array)));
   }
 
   struct accelerator_t
@@ -516,10 +517,12 @@ struct KerxSubTableFormat6
 			  is_long () ?
 			  (
 			    u.l.rowIndexTable.sanitize (c, this) &&
-			    u.l.columnIndexTable.sanitize (c, this)
+			    u.l.columnIndexTable.sanitize (c, this) &&
+			    c->check_range (this, u.l.array)
 			  ) : (
 			    u.s.rowIndexTable.sanitize (c, this) &&
-			    u.s.columnIndexTable.sanitize (c, this)
+			    u.s.columnIndexTable.sanitize (c, this) &&
+			    c->check_range (this, u.s.array)
 			  )));
   }