[serialize] Check offset base is within (possibly end of) object

diff --git a/src/hb-serialize.hh b/src/hb-serialize.hh
index 9fa0658..e7c6445 100644 (file)
--- a/src/hb-serialize.hh
+++ b/src/hb-serialize.hh
@@ -295,6 +295,7 @@ struct hb_serialize_context_t
       {
         const object_t::link_t &link = *link_it;
        const object_t &child = *packed[link.objidx];
+       assert (link.bias <= parent.tail - parent.head);
        unsigned offset = (child.head - parent.head) - link.bias;
 
        if (link.is_wide)