From 425ba1f4ab4fd1ee0245bc822336d26bd1755c52 Mon Sep 17 00:00:00 2001
From: Garret Rieger <grieger@google.com>
Date: Mon, 19 Apr 2021 18:01:24 -0700
Subject: [PATCH] [subset] fixes infinite loop in hb_set_get_max().

Fixes https://oss-fuzz.com/testcase-detail/5363902507515904
---
 src/hb-set.hh                                    |   2 +-
 test/api/test-set.c                              |   7 ++++++-
 ...e-minimized-hb-subset-fuzzer-5363902507515904 | Bin 0 -> 1683 bytes
 3 files changed, 7 insertions(+), 2 deletions(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5363902507515904

diff --git a/src/hb-set.hh b/src/hb-set.hh
index 6840dde58..9404ba261 100644
--- a/src/hb-set.hh
+++ b/src/hb-set.hh
@@ -832,7 +832,7 @@ struct hb_set_t
   hb_codepoint_t get_max () const
   {
     unsigned int count = pages.length;
-    for (int i = count - 1; i >= 0; i++)
+    for (int i = count - 1; i >= 0; i--)
       if (!page_at (i).is_empty ())
 	return page_map[(unsigned) i].major * page_t::PAGE_BITS + page_at (i).get_max ();
     return INVALID;
diff --git a/test/api/test-set.c b/test/api/test-set.c
index eb690b895..30a47674f 100644
--- a/test/api/test-set.c
+++ b/test/api/test-set.c
@@ -121,6 +121,11 @@ test_set_basic (void)
   hb_set_del (s, 800);
   g_assert (!hb_set_has (s, 800));
 
+  g_assert_cmpint (hb_set_get_max (s), ==, 799);
+
+  hb_set_del_range (s, 0, 799);
+  g_assert_cmpint (hb_set_get_max (s), ==, HB_SET_VALUE_INVALID);
+
   hb_set_destroy (s);
 }
 
@@ -501,7 +506,7 @@ test_set_delrange (void)
 
   for (unsigned i = 0; i < n; i++)
     hb_set_del_range (s, ranges[i].b, ranges[i].e);
-    
+
   hb_set_del_range (s, P*13+5, P*15-10);	/* Deletion from deleted pages. */
 
   for (unsigned i = 0; i < n; i++)
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5363902507515904 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5363902507515904
new file mode 100644
index 0000000000000000000000000000000000000000..1ad79713759deca28c7f2bd7dcd68d1cbe4d5305
GIT binary patch
literal 1683
zcmdT^O=uHA6#izjP17|>Dyf2sY(SH?G*x;DsKr=QS0Odx;=%UflB6khlMQJo!ONzI
zR}WRhgP!K%K}zo)#H$xC9t5FyDR}A0VEjoL-z1Ty&?-`cILqwry!Xw_d*AnFzyKUZ
zKfS|7V)Bv(ah(2vbp(xTDf3ILegz=Vz50}4-k89e_$<dN;0p7@+41ONG@e|HHsH0>
zdH$Gl{+_Sg;S$05LJ_?<2`DFMjz70l6)xQI#AH<Nz~-`6Mq#m${vKLz^ucLd2w~8J
zZy13PfI3$zS9&)GUb_M}3GcI=w1xd(0j}H~P~pv6mEz2VIxQFLLjkpLJ_%R}9GZGZ
zrgKH7Vu~e9>tH?Ng`gyKR3WnnZptihWH3TI0~&(#Fx!A1J{ozTkTpPGii_BxSg8A`
zSIK*ntSU0hhx2$vHV>BDvm{!9_(aAy0usg6F1Juus}iMwdB`c<@nZxHv8Q{Y<r%FJ
zx!=kmL^-6bl2f>4>E)7@$>y!nZQYsG4aW)FS$n}=k?Qa*ZAciBr>V_Mhc*{e$?G!4
zwm!SlF<NlSne6P}WTk7QG^Bzt)}%^_ZwS{vEWRs<;vn7_tE<mn$~pkVfxdOX>)UvO
z`mzvWIAxw1`-qr4AM%%+)W{E{^Hwo3A1KjSqwc}ie^SYv8MPveZ3{6puRSEg(7tAj
z{${)qu!q)4mk!0-p<mKU*T<P1XzgZ6{{OYuCQV*C-LJ(zt#Fe3(O5&JX`PJ<Zfgkf
S`zz_^fsqxoZMj@62lfL;e}%08

literal 0
HcmV?d00001