Apply a 2-line patch to harfbuzz from the upstream.

This CL is to expedite merging to Chrome's branch(es) if necessary.
After this, I'll update harfbuzz to 0.9.37 (that includes this fix) in
the trunk.

BUG=443274
TEST=See the bug
TBR=behdad

Review URL: https://codereview.chromium.org/795393003

Cr-Commit-Position: refs/heads/master@{#308894}

3 files changed, 24 insertions, 0 deletions

diff --git a/third_party/harfbuzz-ng/README.chromium b/third_party/harfbuzz-ng/README.chromium
index 62cbd7a..e2d0b24 100644
--- a/third_party/harfbuzz-ng/README.chromium
+++ b/third_party/harfbuzz-ng/README.chromium
@@ -19,3 +19,5 @@ BUILD.gn and harfbuzz.gyp accordingly.
 
 Right now, it uses revision d457e3f0ff9b27616a34e4cc110d3edbf8796841 from
 https://github.com/behdad/harfbuzz
+
+On top of that, gsubgpos.patch (2-liner) was applied.
diff --git a/third_party/harfbuzz-ng/gsubgpos.patch b/third_party/harfbuzz-ng/gsubgpos.patch
new file mode 100644
index 0000000..47709f1
--- /dev/null
+++ b/third_party/harfbuzz-ng/gsubgpos.patch
@@ -0,0 +1,20 @@
+diff --git a/src/hb-ot-layout-gsubgpos-private.hh b/src/hb-ot-layout-gsubgpos-private.hh

+index 6ff15d2..dafca7f 100644

+--- a/src/hb-ot-layout-gsubgpos-private.hh

++++ b/src/hb-ot-layout-gsubgpos-private.hh

+@@ -1498,6 +1498,7 @@ struct ContextFormat3

+     TRACE_SANITIZE (this);

+     if (!c->check_struct (this)) return TRACE_RETURN (false);

+     unsigned int count = glyphCount;

++    if (!count) return TRACE_RETURN (false); /* We want to access coverage[0] freely. */

+     if (!c->check_array (coverage, coverage[0].static_size, count)) return TRACE_RETURN (false);

+     for (unsigned int i = 0; i < count; i++)

+       if (!coverage[i].sanitize (c, this)) return TRACE_RETURN (false);

+@@ -2109,6 +2110,7 @@ struct ChainContextFormat3

+     if (!backtrack.sanitize (c, this)) return TRACE_RETURN (false);

+     OffsetArrayOf<Coverage> &input = StructAfter<OffsetArrayOf<Coverage> > (backtrack);

+     if (!input.sanitize (c, this)) return TRACE_RETURN (false);

++    if (!input.len) return TRACE_RETURN (false); /* To be consistent with Context. */

+     OffsetArrayOf<Coverage> &lookahead = StructAfter<OffsetArrayOf<Coverage> > (input);

+     if (!lookahead.sanitize (c, this)) return TRACE_RETURN (false);

+     ArrayOf<LookupRecord> &lookup = StructAfter<ArrayOf<LookupRecord> > (lookahead);

diff --git a/third_party/harfbuzz-ng/src/hb-ot-layout-gsubgpos-private.hh b/third_party/harfbuzz-ng/src/hb-ot-layout-gsubgpos-private.hh
index 546ff4b..fc9eed0 100644
--- a/third_party/harfbuzz-ng/src/hb-ot-layout-gsubgpos-private.hh
+++ b/third_party/harfbuzz-ng/src/hb-ot-layout-gsubgpos-private.hh
@@ -1479,6 +1479,7 @@ struct ContextFormat3
     TRACE_SANITIZE (this);
     if (!c->check_struct (this)) return TRACE_RETURN (false);
     unsigned int count = glyphCount;
+    if (!count) return TRACE_RETURN (false); /* We want to access coverage[0] freely. */
     if (!c->check_array (coverage, coverage[0].static_size, count)) return TRACE_RETURN (false);
     for (unsigned int i = 0; i < count; i++)
       if (!coverage[i].sanitize (c, this)) return TRACE_RETURN (false);
@@ -2090,6 +2091,7 @@ struct ChainContextFormat3
     if (!backtrack.sanitize (c, this)) return TRACE_RETURN (false);
     OffsetArrayOf<Coverage> &input = StructAfter<OffsetArrayOf<Coverage> > (backtrack);
     if (!input.sanitize (c, this)) return TRACE_RETURN (false);
+    if (!input.len) return TRACE_RETURN (false); /* To be consistent with Context. */
     OffsetArrayOf<Coverage> &lookahead = StructAfter<OffsetArrayOf<Coverage> > (input);
     if (!lookahead.sanitize (c, this)) return TRACE_RETURN (false);
     ArrayOf<LookupRecord> &lookup = StructAfter<ArrayOf<LookupRecord> > (lookahead);