[kerx] Fix sanitize of KerxSubtableFormat2::array read Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11033

commit: 68b705076808d4b0a4ac3bfa945b8f9ae23db1df [log] [tgz]
author: Behdad Esfahbod <behdad@behdad.org> Sat Oct 20 12:09:41 2018 -0700
committer: Behdad Esfahbod <behdad@behdad.org> Sat Oct 20 12:20:57 2018 -0700
tree: 29e5733875788b706594d5777e1e51a10448a835
parent: 00fdbca4f6a5c4623b9c4838da502cccce8aaa74 [diff]
diff --git a/src/hb-aat-layout-kerx-table.hh b/src/hb-aat-layout-kerx-table.hh
index 6425780..e8eb43b 100644
--- a/src/hb-aat-layout-kerx-table.hh
+++ b/src/hb-aat-layout-kerx-table.hh

@@ -103,7 +103,8 @@
   inline bool sanitize (hb_sanitize_context_t *c) const
   {
     TRACE_SANITIZE (this);
-    return_trace (likely (pairs.sanitize (c)));
+    return_trace (likely (c->check_struct (this) &&
+			  pairs.sanitize (c)));
   }
 
   protected:
@@ -275,7 +276,7 @@
   inline bool sanitize (hb_sanitize_context_t *c) const
   {
     TRACE_SANITIZE (this);
-    return_trace (likely (rowWidth.sanitize (c) &&
+    return_trace (likely (c->check_struct (this) &&
 			  leftClassTable.sanitize (c, this) &&
 			  rightClassTable.sanitize (c, this) &&
 			  c->check_range (this, array)));
commit	68b705076808d4b0a4ac3bfa945b8f9ae23db1df	[log] [tgz]
author	Behdad Esfahbod <behdad@behdad.org>	Sat Oct 20 12:09:41 2018 -0700
committer	Behdad Esfahbod <behdad@behdad.org>	Sat Oct 20 12:20:57 2018 -0700
tree	29e5733875788b706594d5777e1e51a10448a835
parent	00fdbca4f6a5c4623b9c4838da502cccce8aaa74 [diff]