hb-buffer.cc:411: bool hb_buffer_t::move_to(unsigned int): Assertion `i <= out_len + (len - idx)' failed.

[kcc]

libFuzzer bot (see #139) found this:

harfbuzz_san_cov_fuzzer: hb-buffer.cc:411: bool hb_buffer_t::move_to(unsigned int): Assertion `i <= out_len + (len - idx)' failed.
...
    #3 0x7f2bb0cb4c31 in __assert_fail (/lib/x86_64-linux-gnu/libc.so.6+0x2fc31)
    #4 0x4ffcf1 in hb_buffer_t::move_to(unsigned int) san_cov/src/hb-buffer.cc:411:3
    #5 0x60e4f4 in OT::apply_lookup(OT::hb_apply_context_t*, unsigned int, unsigned int*, unsigned int, OT::LookupRecord const*, unsigned int) san_cov/src/./hb-ot-layout-gsubgpos-private.hh:985:5
    #6 0x68084e in OT::chain_context_apply_lookup(OT::hb_apply_context_t*, unsigned int, OT::IntType<unsigned short, 2u> const*, unsigned int, OT::IntType<unsigned short, 2u> const*, unsigned int, OT::IntType<unsigned short, 2u> const*, unsigned int, OT::LookupRecord const*, OT::ChainContextApplyLookupContext&) san_cov/src/./hb-ot-layout-gsubgpos-private.hh:1646:10
    #7 0x68084e in OT::ChainContextFormat3::apply(OT::hb_apply_context_t*) const san_cov/src/./hb-ot-layout-gsubgpos-private.hh:2086
    #8 0x675351 in bool OT::hb_apply_context_t::dispatch<OT::ChainContextFormat3>(OT::ChainContextFormat3 const&) san_cov/src/./hb-ot-layout-gsubgpos-private.hh:446:52
    #9 0x675351 in OT::hb_apply_context_t::return_t OT::ChainContext::dispatch<OT::hb_apply_context_t>(OT::hb_apply_context_t*) const san_cov/src/./hb-ot-layout-gsubgpos-private.hh:2137
    #10 0x675351 in OT::hb_apply_context_t::return_t OT::SubstLookupSubTable::dispatch<OT::hb_apply_context_t>(OT::hb_apply_context_t*, unsigned int) const san_cov/src/./hb-ot-layout-gsub-table.hh:1084

Repro attached.
CORPORA-ARTIFACTS-crash-205edd09bd3d141cc9580f650109556cc28b22cb.pdf