From: Michiharu Ariza <ariza@adobe.com>
Date: Thu, 6 Dec 2018 01:04:55 +0000 (-0800)
Subject: sanitize variationStore in CFF2 against its size
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=c31092ab34641072606f854408eb1bea18ed2507;p=platform%2Fupstream%2FlibHarfBuzzSharp.git

sanitize variationStore in CFF2 against its size
---

diff --git a/src/hb-ot-cff2-table.hh b/src/hb-ot-cff2-table.hh
index 178acf0..de2b1b2 100644
--- a/src/hb-ot-cff2-table.hh
+++ b/src/hb-ot-cff2-table.hh
@@ -115,7 +115,7 @@ struct CFF2VariationStore
   inline bool sanitize (hb_sanitize_context_t *c) const
   {
     TRACE_SANITIZE (this);
-    return_trace (likely (c->check_struct (this)) && varStore.sanitize (c));
+    return_trace (likely (c->check_struct (this)) && c->check_range (&varStore, size) && varStore.sanitize (c));
   }
 
   inline bool serialize (hb_serialize_context_t *c, const CFF2VariationStore *varStore)