commit 6d628552e2ffa0a7f23e21995ae8f9ac444da31d
author Roozbeh Pournader <roozbeh@google.com> Thu Dec 18 11:32:43 2014 -0800
committer Roozbeh Pournader <roozbeh@google.com> Thu Dec 18 11:32:43 2014 -0800
tree 9e2b12a4ee1c3ad2b7fa69f4dd69a98c466f1f14
parent b6f5a05cd719668405ec29e587f16d3d59ebd4f4

[otlayout] Avoid invalid access with Context format 3.

Backport https://github.com/behdad/harfbuzz/commit/9df0a520 to our
present copy of HarfBuzz to fix a potential crasher.

Bug: 18789351
Change-Id: I89fc1dd7f9fd57f50babacea2b341a31e1bf41ee

src/hb-ot-layout-gsubgpos-private.hh

diff --git a/src/hb-ot-layout-gsubgpos-private.hh b/src/hb-ot-layout-gsubgpos-private.hh
index 546ff4b..fc9eed0 100644
--- a/src/hb-ot-layout-gsubgpos-private.hh
+++ b/src/hb-ot-layout-gsubgpos-private.hh
@@ -1479,6 +1479,7 @@
     TRACE_SANITIZE (this);
     if (!c->check_struct (this)) return TRACE_RETURN (false);
     unsigned int count = glyphCount;
+    if (!count) return TRACE_RETURN (false); /* We want to access coverage[0] freely. */
     if (!c->check_array (coverage, coverage[0].static_size, count)) return TRACE_RETURN (false);
     for (unsigned int i = 0; i < count; i++)
       if (!coverage[i].sanitize (c, this)) return TRACE_RETURN (false);
@@ -2090,6 +2091,7 @@
     if (!backtrack.sanitize (c, this)) return TRACE_RETURN (false);
     OffsetArrayOf<Coverage> &input = StructAfter<OffsetArrayOf<Coverage> > (backtrack);
     if (!input.sanitize (c, this)) return TRACE_RETURN (false);
+    if (!input.len) return TRACE_RETURN (false); /* To be consistent with Context. */
     OffsetArrayOf<Coverage> &lookahead = StructAfter<OffsetArrayOf<Coverage> > (input);
     if (!lookahead.sanitize (c, this)) return TRACE_RETURN (false);
     ArrayOf<LookupRecord> &lookup = StructAfter<ArrayOf<LookupRecord> > (lookahead);