From 333946b00e849ff6722781bc5e46bd9fcc83311a Mon Sep 17 00:00:00 2001
From: Garret Rieger <grieger@google.com>
Date: Thu, 28 Sep 2023 19:02:37 +0000
Subject: [PATCH] [subset] Fix fuzzer timeout.

Fixes https://oss-fuzz.com/testcase-detail/5458896606855168. Limit iteration over coverage in MarkLigPosFormat1 subsetting to the number of glyphs in the liga array.
---
 src/OT/Layout/GPOS/MarkLigPosFormat1.hh          |   5 +++--
 ...e-minimized-hb-subset-fuzzer-5458896606855168 | Bin 0 -> 2410 bytes
 2 files changed, 3 insertions(+), 2 deletions(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5458896606855168

diff --git a/src/OT/Layout/GPOS/MarkLigPosFormat1.hh b/src/OT/Layout/GPOS/MarkLigPosFormat1.hh
index af8b4723a..d6bee277c 100644
--- a/src/OT/Layout/GPOS/MarkLigPosFormat1.hh
+++ b/src/OT/Layout/GPOS/MarkLigPosFormat1.hh
@@ -169,7 +169,7 @@ struct MarkLigPosFormat1_2
   {
     TRACE_SUBSET (this);
     const hb_set_t &glyphset = *c->plan->glyphset_gsub ();
-    const hb_map_t &glyph_map = *c->plan->glyph_map;
+    const hb_map_t &glyph_map = c->plan->glyph_map_gsub;
 
     auto *out = c->serializer->start_embed (*this);
     if (unlikely (!c->serializer->extend_min (out))) return_trace (false);
@@ -202,8 +202,9 @@ struct MarkLigPosFormat1_2
 
     auto new_ligature_coverage =
     + hb_iter (this + ligatureCoverage)
-    | hb_filter (glyphset)
+    | hb_take ((this + ligatureArray).len)
     | hb_map_retains_sorting (glyph_map)
+    | hb_filter ([] (hb_codepoint_t glyph) { return glyph != HB_MAP_VALUE_INVALID; })
     ;
 
     if (!out->ligatureCoverage.serialize_serialize (c->serializer, new_ligature_coverage))
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5458896606855168 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5458896606855168
new file mode 100644
index 0000000000000000000000000000000000000000..213b60fc228eb786fe19a35c25bc4b01f191307c
GIT binary patch
literal 2410
zcmeHJU1(fI6#i!J-M{Q+)5c9Gx^|ZsD;3vtHRfRxC6(G(h_nz}jXzDUF=-^5blr`m
zkzltX`rwly1gi8&#6&?+(TXUQDyR=C6eLtABG{_b2cbzYrWwC;XE$w3#lHCFxqEl!
z%+LA#=FEixkVTpQLZKI?6&&TBgNY})cJ1t${h;Z6K%oxU+tsuC&ZY*`2roN!o^09D
zn>mmH63`d^+;fjX!2=xrzNM`2zWl^c<B4~EBtN?uOD$7Jj=mfkx$QKkraAxR)YK6#
zdP?0#egbft2fe}J<@=$5h|Bpm^ZN(9KYk8}*caL`>K!bsi>n3dUs8Db)tOFxvzv^D
z=jVU_Wx*f<Cmq37grSz-;`%gx<$sK?G2*3=ivTdU=m=jUZuoBv*WLl;6}?BeTXb`a
z*uhzi(!dkN_^4ML!3K^vP!SnbdOiCtrA!_MCfN_8U34RkCTwBb#~3O08LN8Hbf^~M
z3d2Kg{u}ePIq_XLbSS0YgXU0r%o`o-Q5~N*I+$QkHghp!jSGCWeRLzx5vXth%8Ang
z&F~wOAlFFYTtOdoEgPRAm6j5;%D6?OfgtS+(mg6I|4SN`r7Rn>LfjW$VQj~_$V=RI
zU9}FKY=7$K-=$<OWo$nT{I+(~ju0zrNrFKWeDVWh**MCsgZ>w{-L)NcO1}i0<0^~d
zwzE6L-FC;K7!?$!o#Qc6qn~@tN3qIN<erB{y#lV;+Q;>u@$KK|l?qH8Q>U9b9}~^_
zp@}H@EW1|^4|<R4q3nDax*JcS4IGFaTSO1^Gn~&1-!OhK^mgtm%&FJOhx5Y&9%`Af
z2B?Qo9~4v<2j*rthhsYBqd=dDGV^+tLmh?vrE&AT`v8%X_!vk-#l(B!xcNA+evvlL
z$N;gj5jR2Qz45UMiXSJ6Wk!t*7G>;Smkc)fxo_inNs)^Z7gV+CA;$S|21(*8iO2Zr
z?_ZJQBMTkDuun-Y6CqVd%Ek~^DQrvnK(C@Ala}IvYiSTeh8$Oj!PgPws^S|5tZz$|
z$&E;Nh&QWkvz)cCcE!RVEkrm;kx8C-;$b00{V5ujYN16b-`ObJm~U^KDttlZzYDj5
z>o_kCBq<=t{YfS)$$;1vNCk`uz(j3URxGz!A&cH>RsyTCl3PA+uqG=HwjSnkhK*rO
z9G%)bPuqh18Yah_$?48ATHU3l8!gW3nZb7IP~+Sr56~(sA1OaPGPnAyIb`czb@E9m
zYNQ}#QUTwJi(yHjO>H$C|Ht<q;>)`U=S`G&P*|2|lKh})b@!=4Yc3rfDBWV7#hL$(
z<W3Muv&>em6Zdxb1$rzzd3}lX)F*qX5+3ICZrVt?c&)DBI<gAae$8%3AlB&+AQh6s
zo}$Bo5{H5uwW&`kPKbRuCL{|R0gWqVLsn{nk=5mgE3HX6$`COEXCdiZCN66GyS9Jy
z;TQ68!m>^v8~@|v-Lu_Q5*wwWRrxD!{fmL0H<v4f{zuOnpENb3sZlOtT36<cc_7o<
Waxz=}@R=U{)SeexF)#ZS<l-+dBDY%r

literal 0
HcmV?d00001