From 00ae4be6bf8b1d0800043167c5cf95187ac12515 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Fri, 26 Oct 2018 21:59:20 -0700
Subject: [PATCH] [morx] Fix bailing out ligation at end-of-text

Check was after a move_to, which wouldn't work.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11147
---
 src/hb-aat-layout-morx-table.hh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/hb-aat-layout-morx-table.hh b/src/hb-aat-layout-morx-table.hh
index 22a994431..5b21358ec 100644
--- a/src/hb-aat-layout-morx-table.hh
+++ b/src/hb-aat-layout-morx-table.hh
@@ -399,6 +399,9 @@ struct LigatureSubtable
 	if (unlikely (!match_length))
 	  return true;
 
+	if (buffer->idx >= buffer->len)
+	  return false; // TODO Work on previous instead?
+
 	unsigned int cursor = match_length;
         do
 	{
@@ -421,8 +424,6 @@ struct LigatureSubtable
 	  if (uoffset & 0x20000000)
 	    uoffset |= 0xC0000000; /* Sign-extend. */
 	  int32_t offset = (int32_t) uoffset;
-	  if (buffer->idx >= buffer->len)
-	    return false; // TODO Work on previous instead?
 	  unsigned int component_idx = buffer->cur().codepoint + offset;
 
 	  const HBUINT16 &componentData = component[component_idx];