Update from https://crrev.com/308996

third_party/harfbuzz-ng/gsubgpos.patch

Index: third_party/harfbuzz-ng/gsubgpos.patch
diff --git a/third_party/harfbuzz-ng/gsubgpos.patch b/third_party/harfbuzz-ng/gsubgpos.patch
new file mode 100644
index 0000000000000000000000000000000000000000..47709f1126d0f11e7bc011230b5a322c23af98f8
--- /dev/null
+++ b/third_party/harfbuzz-ng/gsubgpos.patch
@@ -0,0 +1,20 @@
+diff --git a/src/hb-ot-layout-gsubgpos-private.hh b/src/hb-ot-layout-gsubgpos-private.hh
+index 6ff15d2..dafca7f 100644
+--- a/src/hb-ot-layout-gsubgpos-private.hh
++++ b/src/hb-ot-layout-gsubgpos-private.hh
+@@ -1498,6 +1498,7 @@ struct ContextFormat3
+     TRACE_SANITIZE (this);
+     if (!c->check_struct (this)) return TRACE_RETURN (false);
+     unsigned int count = glyphCount;
++    if (!count) return TRACE_RETURN (false); /* We want to access coverage[0] freely. */
+     if (!c->check_array (coverage, coverage[0].static_size, count)) return TRACE_RETURN (false);
+     for (unsigned int i = 0; i < count; i++)
+       if (!coverage[i].sanitize (c, this)) return TRACE_RETURN (false);
+@@ -2109,6 +2110,7 @@ struct ChainContextFormat3
+     if (!backtrack.sanitize (c, this)) return TRACE_RETURN (false);
+     OffsetArrayOf<Coverage> &input = StructAfter<OffsetArrayOf<Coverage> > (backtrack);
+     if (!input.sanitize (c, this)) return TRACE_RETURN (false);
++    if (!input.len) return TRACE_RETURN (false); /* To be consistent with Context. */
+     OffsetArrayOf<Coverage> &lookahead = StructAfter<OffsetArrayOf<Coverage> > (input);
+     if (!lookahead.sanitize (c, this)) return TRACE_RETURN (false);
+     ArrayOf<LookupRecord> &lookup = StructAfter<ArrayOf<LookupRecord> > (lookahead);