From 08784baf101aea472c133dcd67604b475ace3772 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Thu, 2 Mar 2023 10:48:30 -0700
Subject: [PATCH] [GSUB/GPOS] Fix sanitization in Format1

Fixes https://oss-fuzz.com/testcase-detail/5120727025319936
---
 src/OT/Layout/GPOS/SinglePosFormat1.hh   | 14 ++++++++------
 src/OT/Layout/GSUB/SingleSubstFormat1.hh | 14 ++++++++------
 2 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/src/OT/Layout/GPOS/SinglePosFormat1.hh b/src/OT/Layout/GPOS/SinglePosFormat1.hh
index f379e011a..623e4e66b 100644
--- a/src/OT/Layout/GPOS/SinglePosFormat1.hh
+++ b/src/OT/Layout/GPOS/SinglePosFormat1.hh
@@ -28,12 +28,14 @@ struct SinglePosFormat1
     TRACE_SANITIZE (this);
     return_trace (c->check_struct (this) &&
                   coverage.sanitize (c, this) &&
-                  valueFormat.sanitize_value (c, this, values) &&
-                  // The coverage  table may use a range to represent a set
-                  // of glyphs, which means a small number of bytes can
-                  // generate a large glyph set. Manually modify the
-                  // sanitizer max ops to take this into account.
-                  c->check_ops ((this + coverage).get_population () >> 1));
+                  /* The coverage  table may use a range to represent a set
+                   * of glyphs, which means a small number of bytes can
+                   * generate a large glyph set. Manually modify the
+                   * sanitizer max ops to take this into account.
+                   *
+                   * Note: This check *must* be right after coverage sanitize. */
+                  c->check_ops ((this + coverage).get_population () >> 1) &&
+                  valueFormat.sanitize_value (c, this, values));
 
   }
 
diff --git a/src/OT/Layout/GSUB/SingleSubstFormat1.hh b/src/OT/Layout/GSUB/SingleSubstFormat1.hh
index c48ff4427..5b54fdb07 100644
--- a/src/OT/Layout/GSUB/SingleSubstFormat1.hh
+++ b/src/OT/Layout/GSUB/SingleSubstFormat1.hh
@@ -25,12 +25,14 @@ struct SingleSubstFormat1_3
   bool sanitize (hb_sanitize_context_t *c) const
   {
     TRACE_SANITIZE (this);
-    return_trace (coverage.sanitize (c, this) &&
-                  deltaGlyphID.sanitize (c) &&
-                  // The coverage  table may use a range to represent a set
-                  // of glyphs, which means a small number of bytes can
-                  // generate a large glyph set. Manually modify the
-                  // sanitizer max ops to take this into account.
+    return_trace (c->check_struct (this) &&
+                  coverage.sanitize (c, this) &&
+                  /* The coverage  table may use a range to represent a set
+                   * of glyphs, which means a small number of bytes can
+                   * generate a large glyph set. Manually modify the
+                   * sanitizer max ops to take this into account.
+                   *
+                   * Note: This check *must* be right after coverage sanitize. */
                   c->check_ops ((this + coverage).get_population () >> 1));
   }