oss-fuzz 48437: Add bounds check on size of loca table data

The test case has a TTF that the loca size has been set to an enormous value.
While the loca size is a 32 bit unsigned number (so the value in question is
"valid") it should follow a specific relationship with the number of glyphs
that the font contains, and that is a an unsigned 16 bit value.

So, we can sanity check the size of the loca table based on that condition.

This may or may not solve the oss-fuzz timeout, but it does improve things
considerably.

1 files changed, 7 insertions, 2 deletions

diff --git a/base/gstype42.c b/base/gstype42.c
index 3cc922136..1c2b530a2 100644
--- a/base/gstype42.c
+++ b/base/gstype42.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2001-2021 Artifex Software, Inc.
+/* Copyright (C) 2001-2022 Artifex Software, Inc.
    All Rights Reserved.
 
    This software is provided AS-IS with no warranty, either express or
@@ -269,8 +269,13 @@ gs_type42_font_init(gs_font_type42 * pfont, int subfontID)
             pfont->data.os2_offset = offset;
         }
     }
-    loca_size >>= pfont->data.indexToLocFormat + 1;
+    loca_size >>= (pfont->data.indexToLocFormat == 0 ? 1 : 2);
     pfont->data.numGlyphs = loca_size - 1;
+    if (pfont->data.numGlyphs > 65535) {
+        pfont->data.numGlyphs = 65535;
+        loca_size = (65536 << (pfont->data.indexToLocFormat == 0 ? 1 : 2));
+    }
+
     if (pfont->data.numGlyphs > (int)pfont->data.trueNumGlyphs) {
         /* pfont->key_name.chars is ASCIIZ due to copy_font_name. */
         char buf[gs_font_name_max + 2];