From 4134ec1307bbaff24972e238bc5e4a403cd3f1c1 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Tue, 11 Sep 2018 17:56:03 +0200
Subject: [PATCH] [dfont] Sanitize only sfnt resources as OpenTypeFontFile

---
 src/hb-open-file.hh | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/hb-open-file.hh b/src/hb-open-file.hh
index 35a774ddd..bbfc8f0e0 100644
--- a/src/hb-open-file.hh
+++ b/src/hb-open-file.hh
@@ -300,7 +300,7 @@ struct ResourceRefItem
 
   HBINT16	id;		/* Resource ID, is really should be signed? */
   HBINT16	nameOffset;	/* Offset from beginning of resource name list
-				 * to resource name, minus means there is none. */
+				 * to resource name, -1 means there is none. */
   HBUINT8	attr;		/* Resource attributes */
   HBUINT24	dataOffset;	/* Offset from beginning of resource data to
 				 * data for this resource */
@@ -374,7 +374,7 @@ struct ResourceMap
   inline const PString& get_name (const ResourceRefItem &item,
 				  unsigned int i) const
   {
-    if (item.nameOffset == -1)
+    if (item.nameOffset < 0)
       return Null (PString);
 
     return StructAtOffset<PString> (this, nameList + item.nameOffset);
@@ -452,8 +452,11 @@ struct ResourceForkHeader
       for (unsigned int j = 0; j < type.get_resource_count (); ++j)
       {
         const LArrayOf<HBUINT8>& data = get_data (type, j);
-	if (unlikely (!(data.sanitize (c) &&
-			((OpenTypeFontFace&) data.arrayZ).sanitize (c))))
+	if (unlikely (!data.sanitize (c)))
+	  return_trace (false);
+
+	if (unlikely (type.is_sfnt () &&
+		      !((OpenTypeFontFace&) data.arrayZ).sanitize (c)))
 	  return_trace (false);
       }
     }