[subset] fuzzer fix: https://oss-fuzz.com/testcase-detail/6616166961905664
diff --git a/src/hb-ot-math-table.hh b/src/hb-ot-math-table.hh
index f9c5a83..c2e365d 100644
--- a/src/hb-ot-math-table.hh
+++ b/src/hb-ot-math-table.hh
@@ -836,12 +836,16 @@
void collect_coverage_and_indices (hb_sorted_vector_t<hb_codepoint_t>& new_coverage,
const Offset16To<Coverage>& coverage,
unsigned i,
+ unsigned end_index,
hb_set_t& indices,
const hb_set_t& glyphset,
const hb_map_t& glyph_map) const
{
+ if (!coverage) return;
+
for (const auto _ : (this+coverage).iter ())
{
+ if (i >= end_index) return;
if (glyphset.has (_))
{
unsigned new_gid = glyph_map.get (_);
@@ -866,8 +870,8 @@
hb_sorted_vector_t<hb_codepoint_t> new_vert_coverage;
hb_sorted_vector_t<hb_codepoint_t> new_hori_coverage;
hb_set_t indices;
- collect_coverage_and_indices (new_vert_coverage, vertGlyphCoverage, 0, indices, glyphset, glyph_map);
- collect_coverage_and_indices (new_hori_coverage, horizGlyphCoverage, vertGlyphCount, indices, glyphset, glyph_map);
+ collect_coverage_and_indices (new_vert_coverage, vertGlyphCoverage, 0, vertGlyphCount, indices, glyphset, glyph_map);
+ collect_coverage_and_indices (new_hori_coverage, horizGlyphCoverage, vertGlyphCount, vertGlyphCount + horizGlyphCount, indices, glyphset, glyph_map);
if (!c->serializer->check_assign (out->vertGlyphCount, new_vert_coverage.length, HB_SERIALIZE_ERROR_INT_OVERFLOW))
return_trace (false);
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-6616166961905664 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-6616166961905664
new file mode 100644
index 0000000..35b6479
--- /dev/null
+++ b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-6616166961905664
Binary files differ
