From 1c3372786c503f3f9108971dfa8956e4cb95f65d Mon Sep 17 00:00:00 2001
From: Garret Rieger <grieger@google.com>
Date: Tue, 27 Mar 2018 10:42:19 -0700
Subject: [PATCH] [subset] fix infinite loop bug in looping through tables for
 subsetting.

---
 src/hb-subset.cc                              |   2 +-
 ...inimized-hb-subset-fuzzer-5521982557782016 | Bin 0 -> 1228 bytes
 test/api/test-subset.c                        |  23 ++++++++++++++++++
 3 files changed, 24 insertions(+), 1 deletion(-)
 create mode 100644 test/api/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5521982557782016

diff --git a/src/hb-subset.cc b/src/hb-subset.cc
index 2a2f85579..b253817eb 100644
--- a/src/hb-subset.cc
+++ b/src/hb-subset.cc
@@ -363,8 +363,8 @@ hb_subset (hb_face_t *source,
         continue;
       }
       success = success && _subset_table (plan, tag);
-      offset += count;
     }
+    offset += count;
   } while (count == ARRAY_LENGTH (table_tags));
 
   hb_face_t *result = success ? hb_face_reference(plan->dest) : hb_face_get_empty();
diff --git a/test/api/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5521982557782016 b/test/api/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5521982557782016
new file mode 100644
index 0000000000000000000000000000000000000000..55541f74951791d86f226c109f0a760932964a05
GIT binary patch
literal 1228
zcmZQzWME+MQ2+z?ocv^$GM`cg24)|Irwj`2!J$r*MbpKA{2ZVvvy9x5iZZU|<qUjG
zKp}<%korVt1~wo^1t_nEq~H4w157_qhL52Erk+y$IPCKQ+5&N}AlSXw>{r0!UUdCP
z{zr8`y8Y;Uc=(~ZhdA@V;f-n^wZcmQHGa_ji!HqH#V@*ky#50wF#({j!07`=cww`D
zG`^7YBWilW7G6|~FXa3Tjj#M1237_s1{O|WZkJ;e1?FZ(FdH-H<4GByoCzv!7>w|j
wByi6Gl`{SR|DP9DcqA$^Dl)T&|LNubd*<vT<^tyJf9<&$Oc;$BL_iJ#0C|7!ZU6uP

literal 0
HcmV?d00001

diff --git a/test/api/test-subset.c b/test/api/test-subset.c
index 6bf5c066d..6d2bf06e1 100644
--- a/test/api/test-subset.c
+++ b/test/api/test-subset.c
@@ -51,6 +51,28 @@ test_subset_32_tables (void)
   hb_face_destroy (face);
 }
 
+static void
+test_subset_no_inf_loop (void)
+{
+  hb_face_t *face = hb_subset_test_open_font("fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5521982557782016");
+
+  hb_subset_input_t *input = hb_subset_input_create_or_fail ();
+  hb_set_t *codepoints = hb_subset_input_unicode_set (input);
+  hb_set_add (codepoints, 'a');
+  hb_set_add (codepoints, 'b');
+  hb_set_add (codepoints, 'c');
+
+  hb_subset_profile_t *profile = hb_subset_profile_create();
+  hb_face_t *subset = hb_subset (face, profile, input);
+  g_assert (subset);
+  g_assert (subset == hb_face_get_empty ());
+
+  hb_subset_input_destroy (input);
+  hb_subset_profile_destroy (profile);
+  hb_face_destroy (subset);
+  hb_face_destroy (face);
+}
+
 static void
 test_subset_crash (void)
 {
@@ -79,6 +101,7 @@ main (int argc, char **argv)
   hb_test_init (&argc, &argv);
 
   hb_test_add (test_subset_32_tables);
+  hb_test_add (test_subset_no_inf_loop);
   hb_test_add (test_subset_crash);
 
   return hb_test_run();