From 922898c814b328712fac6c3259740804679dae11 Mon Sep 17 00:00:00 2001
From: Ebrahim Byagowi <ebrahim@gnu.org>
Date: Fri, 23 Aug 2019 22:04:14 +0430
Subject: [PATCH] [subset] Fail on table grow more than 16x+4096

---
 src/hb-subset.cc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/hb-subset.cc b/src/hb-subset.cc
index c0752acc1..f18901705 100644
--- a/src/hb-subset.cc
+++ b/src/hb-subset.cc
@@ -93,6 +93,7 @@ _subset2 (hb_subset_plan_t *plan)
     if (serializer.ran_out_of_room)
     {
       buf_size += (buf_size >> 1) + 32;
+      assert (buf_size <= source_blob->length * 16 + 4096);
       DEBUG_MSG(SUBSET, nullptr, "OT::%c%c%c%c ran out of room; reallocating to %u bytes.", HB_UNTAG (tag), buf_size);
       if (unlikely (!buf.alloc (buf_size)))
       {