[kerx] Fix sanitize of KerxSubtableFormat2::array read
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11033
diff --git a/src/hb-aat-layout-kerx-table.hh b/src/hb-aat-layout-kerx-table.hh
index 6425780..e8eb43b 100644
--- a/src/hb-aat-layout-kerx-table.hh
+++ b/src/hb-aat-layout-kerx-table.hh
@@ -103,7 +103,8 @@
inline bool sanitize (hb_sanitize_context_t *c) const
{
TRACE_SANITIZE (this);
- return_trace (likely (pairs.sanitize (c)));
+ return_trace (likely (c->check_struct (this) &&
+ pairs.sanitize (c)));
}
protected:
@@ -275,7 +276,7 @@
inline bool sanitize (hb_sanitize_context_t *c) const
{
TRACE_SANITIZE (this);
- return_trace (likely (rowWidth.sanitize (c) &&
+ return_trace (likely (c->check_struct (this) &&
leftClassTable.sanitize (c, this) &&
rightClassTable.sanitize (c, this) &&
c->check_range (this, array)));