[subset] fixes infinite loop in hb_set_get_max().
Fixes https://oss-fuzz.com/testcase-detail/5363902507515904
diff --git a/src/hb-set.hh b/src/hb-set.hh
index 6840dde..9404ba2 100644
--- a/src/hb-set.hh
+++ b/src/hb-set.hh
@@ -832,7 +832,7 @@
hb_codepoint_t get_max () const
{
unsigned int count = pages.length;
- for (int i = count - 1; i >= 0; i++)
+ for (int i = count - 1; i >= 0; i--)
if (!page_at (i).is_empty ())
return page_map[(unsigned) i].major * page_t::PAGE_BITS + page_at (i).get_max ();
return INVALID;
diff --git a/test/api/test-set.c b/test/api/test-set.c
index eb690b8..30a4767 100644
--- a/test/api/test-set.c
+++ b/test/api/test-set.c
@@ -121,6 +121,11 @@
hb_set_del (s, 800);
g_assert (!hb_set_has (s, 800));
+ g_assert_cmpint (hb_set_get_max (s), ==, 799);
+
+ hb_set_del_range (s, 0, 799);
+ g_assert_cmpint (hb_set_get_max (s), ==, HB_SET_VALUE_INVALID);
+
hb_set_destroy (s);
}
@@ -501,7 +506,7 @@
for (unsigned i = 0; i < n; i++)
hb_set_del_range (s, ranges[i].b, ranges[i].e);
-
+
hb_set_del_range (s, P*13+5, P*15-10); /* Deletion from deleted pages. */
for (unsigned i = 0; i < n; i++)
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5363902507515904 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5363902507515904
new file mode 100644
index 0000000..1ad7971
--- /dev/null
+++ b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5363902507515904
Binary files differ
