From 4f7f6f6e47232e3df95174833c1c5bead20e8f9e Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Sun, 11 Oct 2015 07:55:25 +0200
Subject: [PATCH] [sfnt] Improve extraction of number of named instances.

* src/sfnt/sfobjs.c (sfnt_init_face)
[TT_CONFIG_OPTION_GX_VAR_SUPPORT]: Check number of instances against
`fvar' table size.
---
 ChangeLog         |  8 ++++++++
 src/sfnt/sfobjs.c | 39 +++++++++++++++++++++++++++++++++++----
 2 files changed, 43 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 9464b14ba..067bf744d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2015-10-11  Werner Lemberg  <wl@gnu.org>
+
+	[sfnt] Improve extraction of number of named instances.
+
+	* src/sfnt/sfobjs.c (sfnt_init_face)
+	[TT_CONFIG_OPTION_GX_VAR_SUPPORT]: Check number of instances against
+	`fvar' table size.
+
 2015-10-10  Alexei Podtelezhnikov  <apodtele@gmail.com>
 
 	* src/base/ftoutln.c (FT_Outline_Get_Orientation): Fix overflow
diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c
index 14d3adef2..42c7222f6 100644
--- a/src/sfnt/sfobjs.c
+++ b/src/sfnt/sfobjs.c
@@ -883,9 +883,17 @@
 
 #ifdef TT_CONFIG_OPTION_GX_VAR_SUPPORT
     {
-      FT_ULong   fvar_len;
+      FT_ULong  fvar_len;
+
+      FT_ULong  version;
+      FT_ULong  offset;
+
+      FT_UShort  num_axes;
+      FT_UShort  axis_size;
       FT_UShort  num_instances;
-      FT_Int     instance_index;
+      FT_UShort  instance_size;
+
+      FT_Int  instance_index;
 
 
       instance_index = FT_ABS( face_instance_index ) >> 16;
@@ -893,8 +901,31 @@
       /* test whether current face is a GX font with named instances */
       if ( face->goto_table( face, TTAG_fvar, stream, &fvar_len ) ||
            fvar_len < 20                                          ||
-           FT_STREAM_SKIP( 12 )                                   ||
-           FT_READ_USHORT( num_instances )                        )
+           FT_READ_ULONG( version )                               ||
+           FT_READ_USHORT( offset )                               ||
+           FT_STREAM_SKIP( 2 )                                    ||
+           FT_READ_USHORT( num_axes )                             ||
+           FT_READ_USHORT( axis_size )                            ||
+           FT_READ_USHORT( num_instances )                        ||
+           FT_READ_USHORT( instance_size )                        )
+      {
+        version       = 0;
+        num_axes      = 0;
+        axis_size     = 0;
+        num_instances = 0;
+        instance_size = 0;
+      }
+
+      /* check that the data is bound by the table length; */
+      /* based on similar code in function `TT_Get_MM_Var' */
+      if ( version != 0x00010000UL                    ||
+           axis_size != 20                            ||
+           num_axes > 0x3FFE                          ||
+           instance_size != 4 + 4 * num_axes          ||
+           num_instances > 0x7EFF                     ||
+           offset                          +
+             axis_size * num_axes          +
+             instance_size * num_instances > fvar_len )
         num_instances = 0;
 
       /* we support at most 2^15 - 1 instances */