[truetype] Improve VF check.

Triggered by

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10255

* src/truetype/ttgxvar.c (ft_var_load_gvar): Use better limit check
for `tupleCount'.

2 files changed, 18 insertions, 4 deletions

diff --git a/ChangeLog b/ChangeLog
index ac063f1a6..6223b231e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,16 @@
 2018-09-12  Werner Lemberg  <wl@gnu.org>
 
+	[truetype] Improve VF check.
+
+	Triggered by
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10255
+
+	* src/truetype/ttgxvar.c (ft_var_load_gvar): Use better limit check
+	for `tupleCount'.
+
+2018-09-12  Werner Lemberg  <wl@gnu.org>
+
 	* src/truetype/ttgxvar.c (ft_var_load_gvar): Check `glyphoffsets'.
 
 2018-09-10  Armin Hasitzka  <prince.cherusker@gmail.com>
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index 3a2c5409d..bb6c6849d 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -3672,6 +3672,7 @@
 
     FT_UInt   tupleCount;
     FT_ULong  offsetToData;
+    FT_ULong  dataSize;
 
     FT_ULong  here;
     FT_UInt   i, j;
@@ -3712,9 +3713,11 @@
          FT_NEW_ARRAY( has_delta, n_points )  )
       goto Fail1;
 
-    if ( FT_STREAM_SEEK( blend->glyphoffsets[glyph_index] )   ||
-         FT_FRAME_ENTER( blend->glyphoffsets[glyph_index + 1] -
-                           blend->glyphoffsets[glyph_index] ) )
+    dataSize = blend->glyphoffsets[glyph_index + 1] -
+                 blend->glyphoffsets[glyph_index];
+
+    if ( FT_STREAM_SEEK( blend->glyphoffsets[glyph_index] ) ||
+         FT_FRAME_ENTER( dataSize )                         )
       goto Fail1;
 
     glyph_start = FT_Stream_FTell( stream );
@@ -3731,7 +3734,7 @@
 
     /* rough sanity test */
     if ( offsetToData + ( tupleCount & GX_TC_TUPLE_COUNT_MASK ) * 4 >
-           blend->gvar_size )
+           dataSize )
     {
       FT_TRACE2(( "TT_Vary_Apply_Glyph_Deltas:"
                   " invalid glyph variation array header\n" ));