UBSan: index out of bounds for type 'OffsetTo<OT::Coverage> const[1]'

[tysmith]

Found with commit 8cb8bfd using hb-fuzzer + UBSan

hb-ot-layout-gsubgpos-private.hh:1546:12: runtime error: index 2 out of bounds for type 'OffsetToOT::Coverage const[1]'
#0 0x5f4cd2 in OT::ContextFormat3::sanitize(OT::hb_sanitize_context_t*) const /src/./hb-ot-layout-gsubgpos-private.hh:1546:12
#1 0x5ef73e in bool OT::hb_sanitize_context_t::dispatchOT::ContextFormat3(OT::ContextFormat3 const&) /src/./hb-open-type-private.hh:198:56
#2 0x5ef73e in OT::hb_sanitize_context_t::return_t OT::Context::dispatchOT::hb_sanitize_context_t(OT::hb_sanitize_context_t*) const /src/./hb-ot-layout-gsubgpos-private.hh:1575
#3 0x5ee8c6 in OT::hb_sanitize_context_t::return_t OT::SubstLookupSubTable::dispatchOT::hb_sanitize_context_t(OT::hb_sanitize_context_t*, unsigned int) const /src/./hb-ot-layout-gsub-table.hh:1112:20
#4 0x5ee50e in OT::hb_sanitize_context_t::return_t OT::Lookup::dispatch<OT::SubstLookupSubTable, OT::hb_sanitize_context_t>(OT::hb_sanitize_context_t*) const /src/./hb-ot-layout-common-private.hh:624:71
#5 0x5eddbb in OT::hb_sanitize_context_t::return_t OT::SubstLookup::dispatchOT::hb_sanitize_context_t(OT::hb_sanitize_context_t*) const /src/./hb-ot-layout-gsub-table.hh:1263:20
#6 0x5eddbb in OT::SubstLookup::sanitize(OT::hb_sanitize_context_t*) const /src/./hb-ot-layout-gsub-table.hh:1269
#7 0x5eda08 in OT::OffsetTo<OT::SubstLookup, OT::IntType<unsigned short, 2u> >::sanitize(OT::hb_sanitize_context_t*, void const*) const /src/./hb-open-type-private.hh:802:5
#8 0x5e06c9 in OT::ArrayOf<OT::OffsetTo<OT::SubstLookup, OT::IntType<unsigned short, 2u> >, OT::IntType<unsigned short, 2u> >::sanitize(OT::hb_sanitize_context_t*, void const*) const /src/./hb-open-type-private.hh:905:11
#9 0x5e06c9 in OT::OffsetListOfOT::SubstLookup::sanitize(OT::hb_sanitize_context_t*) const /src/./hb-open-type-private.hh:963
#10 0x5e06c9 in OT::OffsetTo<OT::OffsetListOfOT::SubstLookup, OT::IntType<unsigned short, 2u> >::sanitize(OT::hb_sanitize_context_t*, void const*) const /src/./hb-open-type-private.hh:802
#11 0x59a59f in OT::GSUB::sanitize(OT::hb_sanitize_context_t*) const /src/./hb-ot-layout-gsub-table.hh:1307:5
#12 0x59a59f in OT::SanitizerOT::GSUB::sanitize(hb_blob_t*) /src/./hb-open-type-private.hh:332
#13 0x587743 in _hb_ot_layout_create(hb_face_t*) /src/hb-ot-layout.cc:56:49
#14 0x62ff62 in _hb_ot_shaper_face_data_create /src/hb-ot-shape.cc:138:10
#15 0x62ff62 in hb_ot_shaper_face_data_ensure /src/hb-ot-shape.cc:133
#16 0x54ee9a in hb_shape_plan_plan(hb_shape_plan_t*, hb_feature_t const*, unsigned int, int const*, unsigned int, char const* const*) /src/./hb-shaper-list.hh:43:1
#17 0x54ee9a in hb_shape_plan_create2 /src/hb-shape-plan.cc:172
#18 0x5511ea in hb_shape_plan_create_cached2 /src/hb-shape-plan.cc:531:33
#19 0x54e6da in hb_shape_full /src/hb-shape.cc:128:33
#20 0x510aca in LLVMFuzzerTestOneInput /test/fuzzing/hb-fuzzer.cc:20:5
#21 0x5117e7 in main /test/fuzzing/main.cc:20:4
#22 0x7f52ee17f82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#23 0x41a948 in _start (hb-fuzzer+0x41a948)

test.zip