From db700b5670d9475cc8ed4880cc9447b232c5e432 Mon Sep 17 00:00:00 2001
From: Garret Rieger <grieger@google.com>
Date: Mon, 12 Jun 2023 23:38:26 +0000
Subject: [PATCH] [subset] fix fuzzer timeout.

Fixes: https://oss-fuzz.com/testcase-detail/6681253479579648. Limits iteration of coverage table during MATH subset to valid glyphs.
---
 src/hb-iter.hh                                   |   2 +-
 src/hb-ot-math-table.hh                          |   9 +++++----
 ...e-minimized-hb-subset-fuzzer-6681253479579648 | Bin 0 -> 3472 bytes
 3 files changed, 6 insertions(+), 5 deletions(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-6681253479579648

diff --git a/src/hb-iter.hh b/src/hb-iter.hh
index 5269cc188..61e05180b 100644
--- a/src/hb-iter.hh
+++ b/src/hb-iter.hh
@@ -842,7 +842,7 @@ struct
   template <typename Iterable,
 	    hb_requires (hb_is_iterable (Iterable))>
   auto operator () (Iterable&& it, unsigned count) const HB_AUTO_RETURN
-  ( hb_zip (hb_range (count), it) | hb_map (hb_second) )
+  ( hb_zip (hb_range (count), it) | hb_map_retains_sorting (hb_second) )
 
   /* Specialization arrays. */
 
diff --git a/src/hb-ot-math-table.hh b/src/hb-ot-math-table.hh
index 62ed13b26..b11da464b 100644
--- a/src/hb-ot-math-table.hh
+++ b/src/hb-ot-math-table.hh
@@ -570,6 +570,7 @@ struct MathGlyphInfo
 
     auto it =
     + hb_iter (this+extendedShapeCoverage)
+    | hb_take (c->plan->source->get_num_glyphs ())
     | hb_filter (glyphset)
     | hb_map_retains_sorting (glyph_map)
     ;
@@ -941,13 +942,13 @@ struct MathVariants
     if (unlikely (!c->serializer->extend_min (out))) return_trace (false);
     if (!c->serializer->check_assign (out->minConnectorOverlap, minConnectorOverlap, HB_SERIALIZE_ERROR_INT_OVERFLOW))
       return_trace (false);
-    
+
     hb_sorted_vector_t<hb_codepoint_t> new_vert_coverage;
     hb_sorted_vector_t<hb_codepoint_t> new_hori_coverage;
     hb_set_t indices;
     collect_coverage_and_indices (new_vert_coverage, vertGlyphCoverage, 0, vertGlyphCount, indices, glyphset, glyph_map);
     collect_coverage_and_indices (new_hori_coverage, horizGlyphCoverage, vertGlyphCount, vertGlyphCount + horizGlyphCount, indices, glyphset, glyph_map);
-    
+
     if (!c->serializer->check_assign (out->vertGlyphCount, new_vert_coverage.length, HB_SERIALIZE_ERROR_INT_OVERFLOW))
       return_trace (false);
     if (!c->serializer->check_assign (out->horizGlyphCount, new_hori_coverage.length, HB_SERIALIZE_ERROR_INT_OVERFLOW))
@@ -959,10 +960,10 @@ struct MathVariants
       if (!o) return_trace (false);
       o->serialize_subset (c, glyphConstruction[i], this);
     }
-    
+
     if (new_vert_coverage)
       out->vertGlyphCoverage.serialize_serialize (c->serializer, new_vert_coverage.iter ());
-    
+
     if (new_hori_coverage)
     out->horizGlyphCoverage.serialize_serialize (c->serializer, new_hori_coverage.iter ());
     return_trace (true);
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-6681253479579648 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-6681253479579648
new file mode 100644
index 0000000000000000000000000000000000000000..b6239d6f725ce0a8ef3d3ec40e1c3d05c864959b
GIT binary patch
literal 3472
zcmd6pe@vZM8OOipJ(tVnLMiQ7Lso2QH#bb$4t0N2oeMBJx`~29>Dt(}cQA_zEoH2B
zI@3EWtUnmAn$2ZaAd#4@&SZZ~?XvlMn*LGS#>|8`(vZ4DYWv4bYRkrt<LA7WA1#z@
zYGOR+e&2iE=RCj8bDsA+M@CY%k`Zfml$X8!nj10avvamx8guUA=Sylf4zB;({gP2q
z=Ar7!s`Ax0E3SOwY*PBknzN_3{Aur6>2{Q;t~pWLl#r5}|M;!5yvGuakAG#^Pn-Vy
ztn5dnNJ4E_>(lFt&Ut1Py{LwUN37P4dJi^L#@^k#b6xAcRmWW*Wkjs>)^~f3^}aU}
zD~&#tahKj!UQ=RUv$9RT_eVNjoZS`-MDjCByt?NQk_9D-G5rb#dqcLYoD@4eX@Mfp
z(v;?`qLRCUgwbVpRl~YRcPJxiwbW}!;_i=w9~G)F-7EJkUC$XWjoh`(7<~aMKJ0Ay
zZSm>)TNBz7&J(a;Uxzc3qsA2lE#(P4paJ)T_i;V9R=X;nJ^D{|Y);~3r;dL5`HMf)
zH_@}ZG0_m<RV36wBtAr20}qi-L)>>Sv>dFEaTuG-3~7w60)3o$0;mf8j6lg8WgNDk
zdC?9ym+4a~)dp?V!>VJ~yLCcCI`3IbhKZX@lNDcNVrH?)F-y?3MC<7WnbNP`xLvq0
z8S2-jW{B;E_csvPt@Nn2(<7nzsOssKi0)C4R5Xbf-Sj9<o!~h{kK){Uo+I=qj`+o`
z<lm>H#X-Mk5ly%W_g6PLwo*ae?k2MI_J#Iw@_(_9>u_#<TX-XHv<+s#Z6FS@FtmS|
z6Z#8t-sit6J?FZu*v^MAXDjCWEext5rR+wtv$Q!u_Y<j1pJiEKWMuabfD_;p7zUSR
zlQEDFlHd*5CtE=$fVYjgw!6VA;7#zB>~}VTFN0&?WpGLMKoLOh!1Lf$a1y*D+fD+t
z=YwK^OglE(k!$}o7?SN^zJvLW^`HVkdunMxY5{jMM)yJV9?AlRpbYE)Pk>Hv47>sG
z>k#%1jmsX+1Nd{e3N(O&pdVoK@E{nKJ(2^^cLcjfpm*K|>cL4cB>Ob<r%!;hU_`b{
zAP*qZwGlLcg8;o<@O8o0H6q&$UpKnDivWDxJ3tcPXE$-_9t5MZJ@E7t0(g2F0Bh+P
z0Ia3w6kshqtmT<pKu-ThM^13vkwdO$%^o=gA9Uo*$?FADYKlCQlmGUS{9zBw>%G_O
zubq5}bfylt?5c8Is;nOTd8)`tiytbl-c-8!=HJITZ^ijLU4OQ~u3%!Uw#lhE!A|iD
zi|kHcWPjH}xa{D^R*m2Jy%&1FpI-mTb270PS>c-$*+k}F%x3EG;}J#PMyoql%fU#I
z<+Ojfad%z97g_9`nJ%(7oi^W)ZXGvj8#rDZtfR<|>dHSZTy@h$c28Jj(O;my^UOl2
z(=K_n{*z9Vt{59-6!*&r5r_94nM6zCVJc7f*(2ixe9d~a?y;8arbNrvl}D|mEN6t3
zELfs(c)$IQQQVMINPY%*ovF5+7{Pf>i(WIH8K$ocUR8kD@H4$fUkDh@Oid3;rU%}o
zfO-G$Y^nblg3JVqop3?GF$<@=7|i$+GKabmig@7~FFvc!T*K=%hFa&FxQ^mAm<PSB
zSv_9$T)(_JPfPv0Pcf?DxXWjl<Rb7JQ+8iP4beRSpVgE8X>+A*3@Dcrb#^P@0+i<?
z3RnOqyT4atDEhgQs(bm5(b<K<QWcH`&aqhqTFdq4UfrkrxmA3zz!a2M4{s8s+>}-P
zvSzW@KAd_D&BxJl2acL878krFt~+%Jxcu!U7TUxs-`vD6UfNJ$(iBO{^>y4N{e4Zi
zxk77X8WXL%5b(^ulA8>tOkG`5GsG2K%vNJ3Zh~B8FJr06TRa15xFfVWzAw0LQ9nFT
zWR5HH02FV9e2(iAQDtSi4A^{|<oe{2x%<{O^zUiqJ!|U}XRh35y+6?+bdT-#-+^<J
z+umDV7RpIWueklAs@&O<*!#$%?8BE-Tjh<fnwWI<&XLZ}qR05gZ~BN-oTb}3nJJ!<
z^nRJ?7r$&wa+ysT_Hpt@LfEF_1W)zGvdzW^i7{&Z|LoTiCdU6w#(hx2%_iIYT=Th~
zipW&P|5vNZmz`M78D>wd0Tt>UlI?w0wl4xGoPCh{ia`ya;PpKLdH_YQj{@39(d!#7
twtbgn`}sWjQP@ur?Jollf<|zLYIx=@pX*#tqaX(2Ak$|I|I#8>^)FD4PqP33

literal 0
HcmV?d00001