From 8dcc1913a1670ede7b124f7b5b775d7ab8791386 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Sat, 24 Nov 2018 09:47:45 -0500
Subject: [PATCH] [kerx/morx] Make sure object length is sanitized before
 accessing it

---
 src/hb-aat-layout-kerx-table.hh | 5 +++++
 src/hb-aat-layout-morx-table.hh | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/src/hb-aat-layout-kerx-table.hh b/src/hb-aat-layout-kerx-table.hh
index 521c4c728..2d5489324 100644
--- a/src/hb-aat-layout-kerx-table.hh
+++ b/src/hb-aat-layout-kerx-table.hh
@@ -962,6 +962,11 @@ struct KerxTable
     unsigned int count = thiz()->tableCount;
     for (unsigned int i = 0; i < count; i++)
     {
+      if (unlikely (!st->u.header.sanitize (c)))
+      {
+	c->reset_object ();
+	return_trace (false);
+      }
       /* OpenType kern table has 2-byte subtable lengths.  That's limiting.
        * MS implementation also only supports one subtable, of format 0,
        * anyway.  Certain versions of some fonts, like Calibry, contain
diff --git a/src/hb-aat-layout-morx-table.hh b/src/hb-aat-layout-morx-table.hh
index 7a39eea8d..5b44a4cfa 100644
--- a/src/hb-aat-layout-morx-table.hh
+++ b/src/hb-aat-layout-morx-table.hh
@@ -1061,6 +1061,11 @@ struct Chain
     unsigned int count = subtableCount;
     for (unsigned int i = 0; i < count; i++)
     {
+      if (unlikely (!c->check_struct (subtable)))
+      {
+	c->reset_object ();
+	return_trace (false);
+      }
       c->set_object (*subtable);
       if (!subtable->sanitize (c))
 	return_trace (false);