From 85630996b8afa699f7b5d19346cdf5c72fcd6e2d Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Sat, 25 Feb 2017 13:30:38 -0800
Subject: [PATCH] Fix buffer-overrun with Bengali reph positioning code

This has no security implications whatsoever since we always keep
and extra element at the end of buffer, just in case.

Discovered by oss-fuzz
CC https://github.com/behdad/harfbuzz/issues/139
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=660
---
 src/hb-ot-shape-complex-indic.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/hb-ot-shape-complex-indic.cc b/src/hb-ot-shape-complex-indic.cc
index b48fb561..ec12ce69 100644
--- a/src/hb-ot-shape-complex-indic.cc
+++ b/src/hb-ot-shape-complex-indic.cc
@@ -1497,7 +1497,7 @@ final_reordering_syllable (const hb_ot_shape_plan_t *plan,
     if (reph_pos == REPH_POS_AFTER_SUB)
     {
       new_reph_pos = base;
-      while (new_reph_pos < end &&
+      while (new_reph_pos + 1 < end &&
 	     !( FLAG_SAFE (info[new_reph_pos + 1].indic_position()) & (FLAG (POS_POST_C) | FLAG (POS_AFTER_POST) | FLAG (POS_SMVD))))
 	new_reph_pos++;
       if (new_reph_pos < end)
-- 
GitLab