From afa02a8005b12640b16da7154150eedc8109999f Mon Sep 17 00:00:00 2001
From: Benoit KUGLER <benoit.kugler@gmail.com>
Date: Thu, 12 Oct 2023 14:12:42 +0200
Subject: [PATCH] [opentype] add check to avoid crashing on malicious/invalid
 font files

---
 opentype/api/font/variations.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/opentype/api/font/variations.go b/opentype/api/font/variations.go
index c6dd493f..663d2965 100644
--- a/opentype/api/font/variations.go
+++ b/opentype/api/font/variations.go
@@ -296,6 +296,11 @@ func unpackDeltas(data []byte, pointNumbersCount int) ([]int16, error) {
 			nbRead += int(count)
 			data = data[1:]
 		} else {
+			// we fill fill out[nbRead:nbRead+count-1], that is we must have
+			// nbRead+count-1 < pointNumbersCount
+			if got := nbRead + int(count); got > pointNumbersCount {
+				return nil, fmt.Errorf("invalid packed deltas (expected %d point numbers, got %d)", pointNumbersCount, got)
+			}
 			isInt16 := control&deltasAreWords != 0
 			if isInt16 {
 				if len(data) < 1+2*int(count) {