From 70b3fbed2850f310658b65a68a058232b78ebeee Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Tue, 1 Aug 2023 15:16:16 -0600
Subject: [PATCH] [graph] Fix invalid read when map gets resized

I don't fully understand how the old code was wrong, since
*v should be evaluated before the set() method call.
Yet this seems to fix a bug that could be reproduced
with HB_DEBUG_SUBSET_REPACK enabled and the following:

$ hb-repacker-fuzzer test/fuzzing/graphs/clusterfuzz-testcase-minimized-hb-repacker-fuzzer-6419865171525632
---
 src/graph/graph.hh | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/graph/graph.hh b/src/graph/graph.hh
index d43d4a07f..5062a024b 100644
--- a/src/graph/graph.hh
+++ b/src/graph/graph.hh
@@ -188,8 +188,10 @@ struct graph_t
     unsigned incoming_edges () const
     {
       if (HB_DEBUG_SUBSET_REPACK)
+       {
 	assert (incoming_edges_ == (single_parent != (unsigned) -1) +
 		(parents.values_ref () | hb_reduce (hb_add, 0)));
+       }
       return incoming_edges_;
     }
 
@@ -304,10 +306,13 @@ struct graph_t
         return;
       }
 
-      const unsigned *v;
-      if (parents.has (old_index, &v) &&
-          parents.set (new_index, *v))
+      const unsigned *pv;
+      if (parents.has (old_index, &pv))
+      {
+        unsigned v = *pv;
+	parents.set (new_index, v);
 	parents.del (old_index);
+      }
     }
 
     bool is_leaf () const