From b24cfc8dcc8991f464782f91922c2772f393184d Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Tue, 8 Jun 2021 15:26:41 +0200
Subject: [PATCH] [sfnt] Sanitize cmap4 table better.

Fixes #1062.

* src/sfnt/ttcmap.c (tt_cmap4_validate): Handle a too-small value of
`length` gracefully.
---
 ChangeLog         |  9 +++++++++
 src/sfnt/ttcmap.c | 10 ++++++++++
 2 files changed, 19 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 1c617938b..3b64ee7e2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2021-06-08  Werner Lemberg  <wl@gnu.org>
+
+	[sfnt] Sanitize cmap4 table better.
+
+	Fixes #1062.
+
+	* src/sfnt/ttcmap.c (tt_cmap4_validate): Handle a too-small value of
+	`length` gracefully.
+
 2021-06-08  Dominik Röttsches  <drott@chromium.org>
 
 	[sfnt] Pointer validity check when reading COLR 'v1' layers
diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
index 45d9f92f9..b369d8378 100644
--- a/src/sfnt/ttcmap.c
+++ b/src/sfnt/ttcmap.c
@@ -916,6 +916,16 @@
       length = (FT_UInt)( valid->limit - table );
     }
 
+    /* it also happens that the `length' field is too small; */
+    /* this is easy to correct                               */
+    if ( length < (FT_UInt)( valid->limit - table ) )
+    {
+      if ( valid->level >= FT_VALIDATE_PARANOID )
+        FT_INVALID_DATA;
+
+      length = (FT_UInt)( valid->limit - table );
+    }
+
     if ( length < 16 )
       FT_INVALID_TOO_SHORT;