From 545a481a74a3c3b70af8928793a01a84f8b0ee9b Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Thu, 10 Oct 2019 13:11:06 +0200
Subject: [PATCH] * src/sfnt/sfwoff2.c (reconstruct_glyf): Check
 `triplet_size'.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18108
---
 ChangeLog          | 12 ++++++++++--
 src/sfnt/sfwoff2.c |  5 +++++
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 8fad2ed9c..ba3460664 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,9 +1,17 @@
+2019-10-10  Werner Lemberg  <wl@gnu.org>
+
+	* src/sfnt/sfwoff2.c (reconstruct_glyf): Check `triplet_size'.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18108
+
 2019-10-09  John Tytgat  <John.Tytgat@esko.com>
 
 	[cff] Fix FT_FACE_FLAG_GLYPH_NAMES for CFF2 based fonts (#57023).
 
-	* src/cff/cffobjs.c (cff_face_init): Don't set FT_FACE_FLAG_GLYPH_NAMES
-	for CFF2 based fonts.
+	* src/cff/cffobjs.c (cff_face_init): Don't set
+	FT_FACE_FLAG_GLYPH_NAMES for CFF2 based fonts.
 
 2019-10-08  Werner Lemberg  <wl@gnu.org>
 
diff --git a/src/sfnt/sfwoff2.c b/src/sfnt/sfwoff2.c
index 01d5bb241..db0fb7ac2 100644
--- a/src/sfnt/sfwoff2.c
+++ b/src/sfnt/sfwoff2.c
@@ -1070,6 +1070,11 @@
         flags_buf   = stream->base + substreams[FLAG_STREAM].offset;
         triplet_buf = stream->base + substreams[GLYPH_STREAM].offset;
 
+        if ( substreams[GLYPH_STREAM].size <
+               ( substreams[GLYPH_STREAM].offset -
+                 substreams[GLYPH_STREAM].start ) )
+          goto Fail;
+
         triplet_size       = substreams[GLYPH_STREAM].size -
                                ( substreams[GLYPH_STREAM].offset -
                                  substreams[GLYPH_STREAM].start );