From d3d2f32c6e85de1d7fbbb18afef356e09110e61c Mon Sep 17 00:00:00 2001
From: Michiharu Ariza <ariza@adobe.com>
Date: Tue, 4 Dec 2018 13:51:26 -0800
Subject: [PATCH] fix oss-fuzz 11657: buffer overrun

Check overrun in Charset1_2::get_glyph
---
 src/hb-ot-cff1-table.hh | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/hb-ot-cff1-table.hh b/src/hb-ot-cff1-table.hh
index 01c0e43..aac66d8 100644
--- a/src/hb-ot-cff1-table.hh
+++ b/src/hb-ot-cff1-table.hh
@@ -392,13 +392,15 @@ struct Charset1_2 {
     return 0;
   }
 
-  inline hb_codepoint_t get_glyph (hb_codepoint_t sid) const
+  inline hb_codepoint_t get_glyph (hb_codepoint_t sid, unsigned int num_glyphs) const
   {
     if (sid == 0) return 0;
     hb_codepoint_t  glyph = 1;
     for (unsigned int i = 0;; i++)
     {
-      if ((ranges[i].first <= sid) && sid <= ranges[i].first + ranges[i].nLeft)
+      if (glyph >= num_glyphs)
+      	return 0;
+      if ((ranges[i].first <= sid) && (sid <= ranges[i].first + ranges[i].nLeft))
 	return glyph + (sid - ranges[i].first);
       glyph += (ranges[i].nLeft + 1);
     }
@@ -550,9 +552,9 @@ struct Charset {
     if (format == 0)
       return u.format0.get_glyph (sid, num_glyphs);
     else if (format == 1)
-      return u.format1.get_glyph (sid);
+      return u.format1.get_glyph (sid, num_glyphs);
     else
-      return u.format2.get_glyph (sid);
+      return u.format2.get_glyph (sid, num_glyphs);
   }
 
   HBUINT8       format;
-- 
2.7.4