[subset] don't use pointers returned from push after array has resized in hb-subset-glyf.cc

commit: 139661404006b8be039436a81cb6b1a73ec44042 [log] [tgz]
author: Garret Rieger <grieger@google.com> Tue Mar 20 16:55:42 2018 -0700
committer: Garret Rieger <grieger@google.com> Tue Mar 20 19:47:36 2018 -0600
tree: 8fc690a1e4b1e3e012d5f959e39750ff0a2a8f68
parent: 3531efdb4c641ef543ea0686fef9289307d52096 [diff]
diff --git a/src/hb-subset-glyf.cc b/src/hb-subset-glyf.cc
index 0b84c85..4d11100 100644
--- a/src/hb-subset-glyf.cc
+++ b/src/hb-subset-glyf.cc

@@ -43,9 +43,14 @@
   for (unsigned int i = 0; i < glyph_ids.len; i++)
   {
     hb_codepoint_t next_glyph = glyph_ids[i];
-    unsigned int *instruction_start = instruction_ranges->push();
-    unsigned int *instruction_end = instruction_ranges->push();
+    if (!instruction_ranges->resize (instruction_ranges->len + 2))
+    {
+      DEBUG_MSG(SUBSET, nullptr, "Failed to resize instruction_ranges.", next_glyph);
+      return false;
+    }
+    unsigned int *instruction_start = &(*instruction_ranges)[instruction_ranges->len - 2];
     *instruction_start = 0;
+    unsigned int *instruction_end = &(*instruction_ranges)[instruction_ranges->len - 1];
     *instruction_end = 0;
 
     unsigned int start_offset, end_offset;

diff --git a/test/api/fonts/crash-b577db318b30f2851828a4c9ef97cb30678b1b54 b/test/api/fonts/crash-b577db318b30f2851828a4c9ef97cb30678b1b54
new file mode 100644
index 0000000..00be056
--- /dev/null
+++ b/test/api/fonts/crash-b577db318b30f2851828a4c9ef97cb30678b1b54
Binary files differ
commit	139661404006b8be039436a81cb6b1a73ec44042	[log] [tgz]
author	Garret Rieger <grieger@google.com>	Tue Mar 20 16:55:42 2018 -0700
committer	Garret Rieger <grieger@google.com>	Tue Mar 20 19:47:36 2018 -0600
tree	8fc690a1e4b1e3e012d5f959e39750ff0a2a8f68
parent	3531efdb4c641ef543ea0686fef9289307d52096 [diff]