From 2d6091fc42c81ba68fe6710de42d313cfda7a309 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Fri, 30 Jun 2023 11:48:56 -0600
Subject: [PATCH] [GPOS] Make AnchorMatrix sanitize lazy again

Was reverted in the previous commit, because it was incomplete.
---
 src/OT/Layout/GPOS/AnchorFormat3.hh |  3 ---
 src/OT/Layout/GPOS/AnchorMatrix.hh  | 14 ++++++++++----
 src/OT/Layout/GPOS/MarkArray.hh     |  2 +-
 src/OT/Layout/GPOS/ValueFormat.hh   |  6 +++---
 src/hb-ot-layout-gsubgpos.hh        |  2 +-
 src/hb-sanitize.hh                  |  4 ++--
 6 files changed, 17 insertions(+), 14 deletions(-)

diff --git a/src/OT/Layout/GPOS/AnchorFormat3.hh b/src/OT/Layout/GPOS/AnchorFormat3.hh
index 703d126b2..8684f60ca 100644
--- a/src/OT/Layout/GPOS/AnchorFormat3.hh
+++ b/src/OT/Layout/GPOS/AnchorFormat3.hh
@@ -27,9 +27,6 @@ struct AnchorFormat3
     TRACE_SANITIZE (this);
     if (unlikely (!c->check_struct (this))) return_trace (false);
 
-    if (c->lazy_gpos_devices)
-      return_trace (true);
-
     return_trace (xDeviceTable.sanitize (c, this) && yDeviceTable.sanitize (c, this));
   }
 
diff --git a/src/OT/Layout/GPOS/AnchorMatrix.hh b/src/OT/Layout/GPOS/AnchorMatrix.hh
index e62e64f3a..bd9b18973 100644
--- a/src/OT/Layout/GPOS/AnchorMatrix.hh
+++ b/src/OT/Layout/GPOS/AnchorMatrix.hh
@@ -22,18 +22,24 @@ struct AnchorMatrix
     unsigned int count = rows * cols;
     if (!c->check_array (matrixZ.arrayZ, count)) return_trace (false);
 
+    if (c->lazy_some_gpos)
+      return_trace (true);
+
     for (unsigned int i = 0; i < count; i++)
       if (!matrixZ[i].sanitize (c, this)) return_trace (false);
     return_trace (true);
   }
 
-  const Anchor& get_anchor (unsigned int row, unsigned int col,
-                            unsigned int cols, bool *found) const
+  const Anchor& get_anchor (hb_ot_apply_context_t *c,
+			    unsigned int row, unsigned int col,
+			    unsigned int cols, bool *found) const
   {
     *found = false;
     if (unlikely (row >= rows || col >= cols)) return Null (Anchor);
-    *found = !matrixZ[row * cols + col].is_null ();
-    return this+matrixZ[row * cols + col];
+    auto &offset = matrixZ[row * cols + col];
+    if (unlikely (!offset.sanitize (&c->sanitizer, this))) return Null (Anchor);
+    *found = !offset.is_null ();
+    return this+offset;
   }
 
   template <typename Iterator,
diff --git a/src/OT/Layout/GPOS/MarkArray.hh b/src/OT/Layout/GPOS/MarkArray.hh
index ff43ffb8c..34e2ab8f6 100644
--- a/src/OT/Layout/GPOS/MarkArray.hh
+++ b/src/OT/Layout/GPOS/MarkArray.hh
@@ -28,7 +28,7 @@ struct MarkArray : Array16Of<MarkRecord>        /* Array of MarkRecords--in Cove
 
     const Anchor& mark_anchor = this + record.markAnchor;
     bool found;
-    const Anchor& glyph_anchor = anchors.get_anchor (glyph_index, mark_class, class_count, &found);
+    const Anchor& glyph_anchor = anchors.get_anchor (c, glyph_index, mark_class, class_count, &found);
     /* If this subtable doesn't have an anchor for this base and this class,
      * return false such that the subsequent subtables have a chance at it. */
     if (unlikely (!found)) return_trace (false);
diff --git a/src/OT/Layout/GPOS/ValueFormat.hh b/src/OT/Layout/GPOS/ValueFormat.hh
index 55a9cea8b..46b69bcfe 100644
--- a/src/OT/Layout/GPOS/ValueFormat.hh
+++ b/src/OT/Layout/GPOS/ValueFormat.hh
@@ -360,7 +360,7 @@ struct ValueFormat : HBUINT16
 
     if (unlikely (!c->check_range (values, get_size ()))) return_trace (false);
 
-    if (c->lazy_gpos_devices)
+    if (c->lazy_some_gpos)
       return_trace (true);
 
     return_trace (!has_device () || sanitize_value_devices (c, base, values));
@@ -373,7 +373,7 @@ struct ValueFormat : HBUINT16
 
     if (!c->check_range (values, count, size)) return_trace (false);
 
-    if (c->lazy_gpos_devices)
+    if (c->lazy_some_gpos)
       return_trace (true);
 
     return_trace (sanitize_values_stride_unsafe (c, base, values, count, size));
@@ -384,7 +384,7 @@ struct ValueFormat : HBUINT16
   {
     TRACE_SANITIZE (this);
 
-    if (c->lazy_gpos_devices)
+    if (c->lazy_some_gpos)
       return_trace (true);
 
     if (!has_device ()) return_trace (true);
diff --git a/src/hb-ot-layout-gsubgpos.hh b/src/hb-ot-layout-gsubgpos.hh
index 713f015f8..67984331b 100644
--- a/src/hb-ot-layout-gsubgpos.hh
+++ b/src/hb-ot-layout-gsubgpos.hh
@@ -4513,7 +4513,7 @@ struct GSUBGPOS
     accelerator_t (hb_face_t *face)
     {
       hb_sanitize_context_t sc;
-      sc.lazy_gpos_devices = true;
+      sc.lazy_some_gpos = true;
       this->table = sc.reference_table<T> (face);
 
       if (unlikely (this->table->is_blocklisted (this->table.get_blob (), face)))
diff --git a/src/hb-sanitize.hh b/src/hb-sanitize.hh
index c28582997..0dcff61d6 100644
--- a/src/hb-sanitize.hh
+++ b/src/hb-sanitize.hh
@@ -128,7 +128,7 @@ struct hb_sanitize_context_t :
 	blob (nullptr),
 	num_glyphs (65536),
 	num_glyphs_set (false),
-	lazy_gpos_devices (false) {}
+	lazy_some_gpos (false) {}
 
   const char *get_name () { return "SANITIZE"; }
   template <typename T, typename F>
@@ -442,7 +442,7 @@ struct hb_sanitize_context_t :
   unsigned int num_glyphs;
   bool  num_glyphs_set;
   public:
-  bool lazy_gpos_devices;
+  bool lazy_some_gpos;
 };
 
 struct hb_sanitize_with_object_t