[hangul] Fix use-after-free issue
out_info might have moved since we copied it's position into local
info var.
Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=894937
diff --git a/src/hb-ot-shape-complex-hangul.cc b/src/hb-ot-shape-complex-hangul.cc
index 0e7abad..9595402 100644
--- a/src/hb-ot-shape-complex-hangul.cc
+++ b/src/hb-ot-shape-complex-hangul.cc
@@ -345,13 +345,6 @@
{
unsigned int s_len = tindex ? 3 : 2;
buffer->replace_glyphs (1, s_len, decomposed);
- if (unlikely (!buffer->successful))
- return;
-
- /* We decomposed S: apply jamo features to the individual glyphs
- * that are now in buffer->out_info.
- */
- hb_glyph_info_t *info = buffer->out_info;
/* If we decomposed an LV because of a non-combining T following,
* we want to include this T in the syllable.
@@ -361,6 +354,14 @@
buffer->next_glyph ();
s_len++;
}
+
+ if (unlikely (!buffer->successful))
+ return;
+
+ /* We decomposed S: apply jamo features to the individual glyphs
+ * that are now in buffer->out_info.
+ */
+ hb_glyph_info_t *info = buffer->out_info;
end = start + s_len;
unsigned int i = start;
@@ -368,6 +369,7 @@
info[i++].hangul_shaping_feature() = VJMO;
if (i < end)
info[i++].hangul_shaping_feature() = TJMO;
+
if (buffer->cluster_level == HB_BUFFER_CLUSTER_LEVEL_MONOTONE_GRAPHEMES)
buffer->merge_out_clusters (start, end);
continue;
