From 34c6c0193c57110219eecd58cc67daffcd84d071 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Mon, 27 Jun 2022 20:26:19 -0600
Subject: [PATCH] [glyf] Fix byterange check again

---
 src/OT/glyf/SimpleGlyph.hh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/OT/glyf/SimpleGlyph.hh b/src/OT/glyf/SimpleGlyph.hh
index 7e20e0e53..6df978cf1 100644
--- a/src/OT/glyf/SimpleGlyph.hh
+++ b/src/OT/glyf/SimpleGlyph.hh
@@ -180,7 +180,8 @@ struct SimpleGlyph
     const HBUINT16 *endPtsOfContours = &StructAfter<HBUINT16> (header);
     int num_contours = header.numberOfContours;
     assert (num_contours);
-    if (unlikely (!bytes.check_range (&endPtsOfContours[num_contours - 1]))) return false;
+    /* One extra item at the end, for the instruction-count below. */
+    if (unlikely (!bytes.check_range (&endPtsOfContours[num_contours]))) return false;
     unsigned int num_points = endPtsOfContours[num_contours - 1] + 1;
 
     points_.alloc (num_points + 4); // Allocate for phantom points, to avoid a possible copy