[truetype]: Limit `SLOOP' bytecode argument to 16 bits.

This fixes

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7707

* src/truetype/ttinterp.c (Ins_SLOOP): Do it.

ChangeLog

@@ -1,3 +1,13 @@
+2018-04-15  Werner Lemberg  <wl@gnu.org>
+
+	[truetype]: Limit `SLOOP' bytecode argument to 16 bits.
+
+	This fixes
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7707
+
+	* src/truetype/ttinterp.c (Ins_SLOOP): Do it.
+
 2018-04-14  Werner Lemberg  <wl@gnu.org>
 
 	[truetype] Integer overflow issues.

src/truetype/ttinterp.c

@@ -3289,7 +3289,10 @@
     if ( args[0] < 0 )
       exc->error = FT_THROW( Bad_Argument );
     else
-      exc->GS.loop = args[0];
+    {
+      /* we heuristically limit the number of loops to 16 bits */
+      exc->GS.loop = args[0] > 0xFFFFL ? 0xFFFFL : args[0];
+    }
   }