* src/sfnt/sfwoff2.c (woff2_open_font): Add sanity check.

Don't trust `totalSfntSize' unconditionally.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16893

2 files changed, 26 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index 390402010..a6d7cb432 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2019-09-01  Werner Lemberg  <wl@gnu.org>
+
+	* src/sfnt/sfwoff2.c (woff2_open_font): Add sanity check.
+
+	Don't trust `totalSfntSize' unconditionally.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16893
+
 2019-08-27  Dominik Röttsches  <drott@chromium.org>
 
 	[woff2] Don't use `FT_UInt64' (#56815).
diff --git a/src/sfnt/sfwoff2.c b/src/sfnt/sfwoff2.c
index a599ae505..6e2ff040f 100644
--- a/src/sfnt/sfwoff2.c
+++ b/src/sfnt/sfwoff2.c
@@ -2092,7 +2092,22 @@
     /* This is what we normally expect.                              */
     /* Initially trust `totalSfntSize' and change later as required. */
     if ( woff2.totalSfntSize > sfnt_size )
-      sfnt_size = woff2.totalSfntSize;
+    {
+      /* However, adjust the value to something reasonable. */
+
+      /* Factor 64 is heuristic. */
+      if ( ( woff2.totalSfntSize >> 6 ) > sfnt_size )
+        sfnt_size <<= 6;
+      else
+        sfnt_size = woff2.totalSfntSize;
+
+      /* Value 1<<26 = 67108864 is heuristic. */
+      if (sfnt_size >= (1 << 26))
+        sfnt_size = 1 << 26;
+
+      FT_TRACE4(( "adjusting estimate of uncompressed font size to %lu\n",
+                  sfnt_size ));
+    }
 
     /* Write sfnt header. */
     if ( FT_ALLOC( sfnt, sfnt_size ) ||