From 052f6c5649f7a46e599742eb6f47fa91d090f77e Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Tue, 13 Oct 2015 08:24:32 +0200
Subject: [PATCH] [truetype] Another GX sanity test.

* src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): Check
`tupleCount'.
Add tracing message.
---
 ChangeLog              |  8 ++++++++
 src/truetype/ttgxvar.c | 17 ++++++++++++++++-
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 96e45a6a2..ba383efef 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2015-10-13  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Another GX sanity test.
+
+	* src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): Check
+	`tupleCount'.
+	Add tracing message.
+
 2015-10-13  Werner Lemberg  <wl@gnu.org>
 
 	[truetype] Fix memory leak for broken GX fonts (#46188).
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index 2f115042a..3ae31d6a9 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -1864,7 +1864,19 @@
       goto Fail2;
 
     tupleCount   = FT_GET_USHORT();
-    offsetToData = glyph_start + FT_GET_USHORT();
+    offsetToData = FT_GET_USHORT();
+
+    /* rough sanity test */
+    if ( offsetToData + tupleCount * 4 > stream->size - stream->pos )
+    {
+      FT_TRACE2(( "TT_Vary_Apply_Glyph_Deltas:"
+                  " invalid glyph variation array header\n" ));
+
+      error = FT_THROW( Invalid_Table );
+      goto Fail2;
+    }
+
+    offsetToData += glyph_start;
 
     if ( tupleCount & GX_TC_TUPLES_SHARE_POINT_NUMBERS )
     {
@@ -1901,6 +1913,9 @@
       }
       else if ( ( tupleIndex & GX_TI_TUPLE_INDEX_MASK ) >= blend->tuplecount )
       {
+        FT_TRACE2(( "TT_Vary_Apply_Glyph_Deltas:"
+                    " invalid tuple index\n" ));
+
         error = FT_THROW( Invalid_Table );
         goto Fail2;
       }