[CFF2] Lift uint16 VariationStore.length limitation

Fixes khaledhosny#290
behdad · Oct 27, 2024 · 3b6f9b5 · 3b6f9b5
1 parent 5daecc9
commit 3b6f9b5
Showing 1 changed file with 10 additions and 4 deletions.
diff --git a/src/cff.cc b/src/cff.cc
@@ -588,19 +588,25 @@ bool ParsePrivateDictData(
 }
 
 bool ParseVariationStore(ots::OpenTypeCFF& out_cff, ots::Buffer& table) {
-  uint16_t length;
+  uint16_t encoded_length;
 
-  if (!table.ReadU16(&length)) {
+  if (!table.ReadU16(&encoded_length)) {
     return OTS_FAILURE();
   }
 
+  unsigned length = encoded_length;
+
   // Empty VariationStore is allowed.
   if (!length) {
     return true;
   }
 
-  if (length > table.remaining()) {
-    return OTS_FAILURE();
+  if (length != 65535) {
+    if (length > table.remaining()) {
+      return OTS_FAILURE();
+    }
+  } else {
+    length = table.remaining();
   }
 
   if (!ParseItemVariationStore(out_cff.GetFont(),