From f7677213d7e2637796eb61df3bce89e163821cf4 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Fri, 29 Jul 2022 11:57:57 -0600
Subject: [PATCH] [SingleSubstFormat1] Don't close glyphs in degenerate cases

Fixes https://oss-fuzz.com/testcase-detail/5145429829877760
---
 src/OT/Layout/GSUB/SingleSubstFormat1.hh | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/OT/Layout/GSUB/SingleSubstFormat1.hh b/src/OT/Layout/GSUB/SingleSubstFormat1.hh
index d46bba254..fd9197b82 100644
--- a/src/OT/Layout/GSUB/SingleSubstFormat1.hh
+++ b/src/OT/Layout/GSUB/SingleSubstFormat1.hh
@@ -45,6 +45,18 @@ struct SingleSubstFormat1_3
     hb_set_t intersection;
     (this+coverage).intersect_set (c->parent_active_glyphs (), intersection);
 
+    /* In degenerate fuzzer-found fonts, but not real fonts,
+     * this table can keep adding new glyphs in each round of closure.
+     * Refuse to close-over, if it maps glyph range to overlapping range. */
+    hb_codepoint_t min_before = intersection.get_min ();
+    hb_codepoint_t max_before = intersection.get_max ();
+    hb_codepoint_t min_after = (min_before + d) & mask;
+    hb_codepoint_t max_after = (min_before + d) & mask;
+    if ((this+coverage).get_population () >= max_before - min_before &&
+	((min_before <= min_after && min_after <= max_before) ||
+	 (min_before <= max_after && max_after <= max_before)))
+      return;
+
     + hb_iter (intersection)
     | hb_map ([d, mask] (hb_codepoint_t g) { return (g + d) & mask; })
     | hb_sink (c->output)