[freetype2] master 543a3b9: * src/sfnt/sfwoff2.c (woff2_open_font): Add sanity check.

[Werner LEMBERG]

branch: master
commit 543a3b939df50e02e52b948f4c9c8ba63bf38059
Author: Werner Lemberg <address@hidden>
Commit: Werner Lemberg <address@hidden>

    * src/sfnt/sfwoff2.c (woff2_open_font): Add sanity check.
    
    Don't trust `totalSfntSize' unconditionally.
    
    Reported as
    
      https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16893
---
 ChangeLog          | 10 ++++++++++
 src/sfnt/sfwoff2.c | 17 ++++++++++++++++-
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 3904020..a6d7cb4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2019-09-01  Werner Lemberg  <address@hidden>
+
+       * src/sfnt/sfwoff2.c (woff2_open_font): Add sanity check.
+
+       Don't trust `totalSfntSize' unconditionally.
+
+       Reported as
+
+         https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16893
+
 2019-08-27  Dominik Röttsches  <address@hidden>
 
        [woff2] Don't use `FT_UInt64' (#56815).
diff --git a/src/sfnt/sfwoff2.c b/src/sfnt/sfwoff2.c
index a599ae5..6e2ff04 100644
--- a/src/sfnt/sfwoff2.c
+++ b/src/sfnt/sfwoff2.c
@@ -2092,7 +2092,22 @@
     /* This is what we normally expect.                              */
     /* Initially trust `totalSfntSize' and change later as required. */
     if ( woff2.totalSfntSize > sfnt_size )
-      sfnt_size = woff2.totalSfntSize;
+    {
+      /* However, adjust the value to something reasonable. */
+
+      /* Factor 64 is heuristic. */
+      if ( ( woff2.totalSfntSize >> 6 ) > sfnt_size )
+        sfnt_size <<= 6;
+      else
+        sfnt_size = woff2.totalSfntSize;
+
+      /* Value 1<<26 = 67108864 is heuristic. */
+      if (sfnt_size >= (1 << 26))
+        sfnt_size = 1 << 26;
+
+      FT_TRACE4(( "adjusting estimate of uncompressed font size to %lu\n",
+                  sfnt_size ));
+    }
 
     /* Write sfnt header. */
     if ( FT_ALLOC( sfnt, sfnt_size ) ||