From 0d4428ae55b688338b889b4d1732ab9cedef5633 Mon Sep 17 00:00:00 2001
From: Adrian Johnson <ajohnson@redneon.com>
Date: Sat, 8 Jul 2017 08:37:21 +0930
Subject: [PATCH 1/2] truetype: check cmap size before allocating memory

https://bugs.freedesktop.org/show_bug.cgi?id=101547
---
 src/cairo-truetype-subset.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/cairo-truetype-subset.c b/src/cairo-truetype-subset.c
index 62902cf7a..84cde3394 100644
--- a/src/cairo-truetype-subset.c
+++ b/src/cairo-truetype-subset.c
@@ -1291,6 +1291,10 @@ _cairo_truetype_reverse_cmap (cairo_scaled_font_t *scaled_font,
 	return CAIRO_INT_STATUS_UNSUPPORTED;
 
     size = be16_to_cpu (map->length);
+    /* minimum table size is 24 bytes */
+    if (size < 24)
+	return CAIRO_INT_STATUS_UNSUPPORTED;
+
     map = malloc (size);
     if (unlikely (map == NULL))
 	return _cairo_error (CAIRO_STATUS_NO_MEMORY);
-- 
2.11.0