From 182295cbcf63e0399f5df68f3d8a7e60b8eeecdb Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Tue, 26 Jul 2022 16:08:00 +0200
Subject: [PATCH] [pfr] Add some safety guards.

* src/pfr/pfrload.c (pfr_phy_font_load): Check resolutions and number of
characters.

Fixes #1174.
---
 src/pfr/pfrload.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/pfr/pfrload.c b/src/pfr/pfrload.c
index 25ba07749..97290ef02 100644
--- a/src/pfr/pfrload.c
+++ b/src/pfr/pfrload.c
@@ -852,6 +852,14 @@
     phy_font->bbox.yMax          = PFR_NEXT_SHORT( p );
     phy_font->flags      = flags = PFR_NEXT_BYTE( p );
 
+    if ( !phy_font->outline_resolution ||
+         !phy_font->metrics_resolution )
+    {
+      error = FT_THROW( Invalid_Table );
+      FT_ERROR(( "pfr_phy_font_load: invalid resolution\n" ));
+      goto Fail;
+    }
+
     /* get the standard advance for non-proportional fonts */
     if ( !( flags & PFR_PHY_PROPORTIONAL ) )
     {
@@ -969,6 +977,13 @@
       phy_font->num_chars    = count = PFR_NEXT_USHORT( p );
       phy_font->chars_offset = offset + (FT_Offset)( p - stream->cursor );
 
+      if ( !phy_font->num_chars )
+      {
+        error = FT_THROW( Invalid_Table );
+        FT_ERROR(( "pfr_phy_font_load: no glyphs\n" ));
+        goto Fail;
+      }
+
       Size = 1 + 1 + 2;
       if ( flags & PFR_PHY_2BYTE_CHARCODE )
         Size += 1;