From c31092ab34641072606f854408eb1bea18ed2507 Mon Sep 17 00:00:00 2001
From: Michiharu Ariza <ariza@adobe.com>
Date: Wed, 5 Dec 2018 17:04:55 -0800
Subject: [PATCH] sanitize variationStore in CFF2 against its size

---
 src/hb-ot-cff2-table.hh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/hb-ot-cff2-table.hh b/src/hb-ot-cff2-table.hh
index 178acf0..de2b1b2 100644
--- a/src/hb-ot-cff2-table.hh
+++ b/src/hb-ot-cff2-table.hh
@@ -115,7 +115,7 @@ struct CFF2VariationStore
   inline bool sanitize (hb_sanitize_context_t *c) const
   {
     TRACE_SANITIZE (this);
-    return_trace (likely (c->check_struct (this)) && varStore.sanitize (c));
+    return_trace (likely (c->check_struct (this)) && c->check_range (&varStore, size) && varStore.sanitize (c));
   }
 
   inline bool serialize (hb_serialize_context_t *c, const CFF2VariationStore *varStore)
-- 
2.7.4