From 804e625def2cfb64ef2f4c8877cd3fa11e86e208 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Wed, 28 Oct 2020 13:34:52 +0100
Subject: [PATCH] [truetype] Minor update to forthcoming OpenType 1.8.4
 standard.

* src/truetype/ttgxvar.c (ft_var_load_item_variation_store): Limit
size of `regionCount`.
---
 ChangeLog              | 7 +++++++
 src/truetype/ttgxvar.c | 9 +++++++++
 2 files changed, 16 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index cb5bda09a..550fab590 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2020-10-28  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Minor update to forthcoming OpenType 1.8.4 standard.
+
+	* src/truetype/ttgxvar.c (ft_var_load_item_variation_store): Limit
+	size of `regionCount`.
+
 2020-10-26  Werner Lemberg  <wl@gnu.org>
 
 	* meson.build: Fix 'harfbuzz' and 'brotli' build options (#59347).
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index b462263de..53b0cc26f 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -493,6 +493,15 @@
       goto Exit;
     }
 
+    /* new constraint in OpenType 1.8.4 */
+    if ( itemStore->regionCount >= 32768U )
+    {
+      FT_TRACE2(( "ft_var_load_item_variation_store:"
+                  " too many variation region tables\n" ));
+      error = FT_THROW( Invalid_Table );
+      goto Exit;
+    }
+
     if ( FT_NEW_ARRAY( itemStore->varRegionList, itemStore->regionCount ) )
       goto Exit;