From db4083fd7f19fd3fbd5d5a8e60d5c8e0f19778bd Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Wed, 25 Sep 2019 08:48:26 +0200
Subject: [PATCH] * src/sfnt/sfwoff2.c (woff2_open_font): Check (sum of) table
 sizes.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17684
---
 ChangeLog          | 8 ++++++++
 src/sfnt/sfwoff2.c | 7 +++++++
 2 files changed, 15 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index fd20d92ee..16a556818 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2019-09-25  Werner Lemberg  <wl@gnu.org>
+
+	* src/sfnt/sfwoff2.c (woff2_open_font): Check (sum of) table sizes.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17684
+
 2019-09-23  Alexei Podtelezhnikov  <apodtele@gmail.com>
 
 	* src/base/ftstroke.c (ft_stroke_border_arcto): Speed up calculations.
diff --git a/src/sfnt/sfwoff2.c b/src/sfnt/sfwoff2.c
index bb7c9815b..7d9017938 100644
--- a/src/sfnt/sfwoff2.c
+++ b/src/sfnt/sfwoff2.c
@@ -2161,6 +2161,13 @@
       goto Exit;
     }
 
+    if ( woff2.uncompressed_size > sfnt_size )
+    {
+      FT_ERROR(( "woff2_open_font: SFNT table lengths are too large.\n" ));
+      error = FT_THROW( Invalid_Table );
+      goto Exit;
+    }
+
     /* Allocate memory for uncompressed table data. */
     if ( FT_ALLOC( uncompressed_buf, woff2.uncompressed_size ) ||
          FT_FRAME_ENTER( woff2.totalCompressedSize )           )