From 32c85b8c8c1994e318dce49b928a7298a0b23560 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Sat, 23 Jul 2022 10:50:26 -0600
Subject: [PATCH] [avar2] Fix mapping when coords length don't match

Ouch.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=49407
---
 src/hb-ot-var-avar-table.hh                       |   3 +++
 ...ase-minimized-hb-shape-fuzzer-4523349576908800 | Bin 0 -> 140 bytes
 2 files changed, 3 insertions(+)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-4523349576908800

diff --git a/src/hb-ot-var-avar-table.hh b/src/hb-ot-var-avar-table.hh
index 18510d36a..5946aef63 100644
--- a/src/hb-ot-var-avar-table.hh
+++ b/src/hb-ot-var-avar-table.hh
@@ -186,6 +186,9 @@ struct avar
     if (version.major < 2)
       return;
 
+    for (; count < axisCount; count++)
+      map = &StructAfter<SegmentMaps> (*map);
+
     const auto &v2 = * (const avarV2Tail *) map;
 
     const auto &varidx_map = this+v2.varIdxMap;
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-4523349576908800 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-shape-fuzzer-4523349576908800
new file mode 100644
index 0000000000000000000000000000000000000000..d66fb2af5673c2fe20abefcf4884f5ea44ab6043
GIT binary patch
literal 140
ycmZQzWME+6P{0Zj%Myz~5<nF>*cALn7yOSQf}(<f3B+Y!W?%%<Kx08P0ssJh`x8R|

literal 0
HcmV?d00001