crash fix : Heap-buffer-overflow READ 2
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18513
diff --git a/src/hb-ot-layout-gpos-table.hh b/src/hb-ot-layout-gpos-table.hh
index e129ae4..024312d 100644
--- a/src/hb-ot-layout-gpos-table.hh
+++ b/src/hb-ot-layout-gpos-table.hh
@@ -762,7 +762,7 @@
   friend struct PairSet;
 
   bool serialize (hb_serialize_context_t *c,
-                  unsigned size,
+                  unsigned length,
                   const hb_map_t &glyph_map) const
   {
     TRACE_SERIALIZE (this);
@@ -770,7 +770,7 @@
     if (unlikely (!c->extend_min (out))) return_trace (false);
     
     out->secondGlyph = glyph_map[secondGlyph];
-    return_trace (c->copy (values, size));
+    return_trace (c->copy (values, length));
   }
 
   protected:
@@ -871,16 +871,16 @@
     const hb_set_t &glyphset = *c->plan->glyphset ();
     const hb_map_t &glyph_map = *c->plan->glyph_map;
 
-    unsigned len1 = valueFormats[0].get_size ();
-    unsigned len2 = valueFormats[1].get_size ();
-    unsigned record_size = HBUINT16::static_size + len1 + len2;
+    unsigned len1 = valueFormats[0].get_len ();
+    unsigned len2 = valueFormats[1].get_len ();
+    unsigned record_size = HBUINT16::static_size + Value::static_size * (len1 + len2);
 
     const PairValueRecord *record = &firstPairValueRecord;
     unsigned count = len, num = 0;
     for (unsigned i = 0; i < count; i++)
     {
       if (!glyphset.has (record->secondGlyph)) continue;
-      if (record->serialize (c->serializer, record_size, glyph_map)) num++;
+      if (record->serialize (c->serializer, len1 + len2, glyph_map)) num++;
       record = &StructAtOffset<const PairValueRecord> (record, record_size);
     }
 
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5677906231033856 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5677906231033856
new file mode 100644
index 0000000..72147f6
--- /dev/null
+++ b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5677906231033856
Binary files differ