[truetype] Improve VF check.

Triggered by

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10255

* src/truetype/ttgxvar.c (ft_var_load_gvar): Use better limit check
for `tupleCount'.

ChangeLog

@@ -1,3 +1,14 @@
+2018-09-12  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Improve VF check.
+
+	Triggered by
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10255
+
+	* src/truetype/ttgxvar.c (ft_var_load_gvar): Use better limit check
+	for `tupleCount'.
+
 2018-09-12  Werner Lemberg  <wl@gnu.org>
 
 	* src/truetype/ttgxvar.c (ft_var_load_gvar): Check `glyphoffsets'.

src/truetype/ttgxvar.c

@@ -3672,6 +3672,7 @@
 
     FT_UInt   tupleCount;
     FT_ULong  offsetToData;
+    FT_ULong  dataSize;
 
     FT_ULong  here;
     FT_UInt   i, j;
@@ -3712,9 +3713,11 @@
          FT_NEW_ARRAY( has_delta, n_points )  )
       goto Fail1;
 
-    if ( FT_STREAM_SEEK( blend->glyphoffsets[glyph_index] )   ||
+    dataSize = blend->glyphoffsets[glyph_index + 1] -
-         FT_FRAME_ENTER( blend->glyphoffsets[glyph_index + 1] -
+                 blend->glyphoffsets[glyph_index];
-                           blend->glyphoffsets[glyph_index] ) )
+
+    if ( FT_STREAM_SEEK( blend->glyphoffsets[glyph_index] ) ||
+         FT_FRAME_ENTER( dataSize )                         )
       goto Fail1;
 
     glyph_start = FT_Stream_FTell( stream );
@@ -3731,7 +3734,7 @@
 
     /* rough sanity test */
     if ( offsetToData + ( tupleCount & GX_TC_TUPLE_COUNT_MASK ) * 4 >
-           blend->gvar_size )
+           dataSize )
     {
       FT_TRACE2(( "TT_Vary_Apply_Glyph_Deltas:"
                   " invalid glyph variation array header\n" ));