1From 62e803b36173fd096d7ad460dd1d1db9be542593 Mon Sep 17 00:00:00 2001 2From: Behdad Esfahbod <behdad@behdad.org> 3Date: Wed, 1 Jun 2022 07:38:21 -0600 4Subject: [PATCH] [sbix] Limit glyph extents 5 6Fixes https://github.com/harfbuzz/harfbuzz/issues/3557 7--- 8 src/hb-ot-color-sbix-table.hh | 6 ++++++ 9 test/fuzzing/fonts/sbix-extents.ttf | Bin 0 -> 582 bytes 10 2 files changed, 6 insertions(+) 11 create mode 100644 test/fuzzing/fonts/sbix-extents.ttf 12 13diff --git a/src/hb-ot-color-sbix-table.hh b/src/hb-ot-color-sbix-table.hh 14index 9741ebd450..6efae43cda 100644 15--- a/src/hb-ot-color-sbix-table.hh 16+++ b/src/hb-ot-color-sbix-table.hh 17@@ -298,6 +298,12 @@ struct sbix 18 19 const PNGHeader &png = *blob->as<PNGHeader>(); 20 21+ if (png.IHDR.height >= 65536 | png.IHDR.width >= 65536) 22+ { 23+ hb_blob_destroy (blob); 24+ return false; 25+ } 26+ 27 extents->x_bearing = x_offset; 28 extents->y_bearing = png.IHDR.height + y_offset; 29 extents->width = png.IHDR.width; 30