From a7467bf4f8ec10a3ab6f56104a587e042b34943b Mon Sep 17 00:00:00 2001
From: Chakshu Gupta <chakshugupta2000@gmail.com>
Date: Sun, 14 Jun 2026 22:46:55 +0530
Subject: [PATCH] fix: add bounds checks for cmap format-12 and kern format-0
 entry counts

Add missing validation that the declared entry count fits within the
subtable data for cmap format-12/13 (numGroups) and kern format-0
(numPairs). Without these checks, a malformed font can cause reads
past the end of the font buffer.

Both checks use the already-validated subtable length to avoid
integer overflow. No effect on well-formed fonts.
---
 schrift.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/schrift.c b/schrift.c
index eb39376..9f695e2 100644
--- a/schrift.c
+++ b/schrift.c
@@ -328,6 +328,8 @@ sft_kerning(const SFT *sft, SFT_Glyph leftGlyph, SFT_Glyph rightGlyph,
 				return -1;
 			numPairs = getu16(sft->font, offset);
 			offset += 8;
+			if (!is_safe_offset(sft->font, offset, (uint_fast32_t) numPairs * 6))
+				return -1;
 			/* Look up character code pair via binary search. */
 			key[0] = (leftGlyph  >> 8) & 0xFF;
 			key[1] =  leftGlyph  & 0xFF;
@@ -866,6 +868,10 @@ cmap_fmt12_13(SFT_Font *font, uint_fast32_t table, SFT_UChar charCode, SFT_Glyph
 
 	numEntries = getu32(font, table + 12);
 
+	/* Ensure the declared number of groups fits within the subtable. */
+	if (numEntries > (len - 16) / 12)
+		return -1;
+
 	for (i = 0; i < numEntries; ++i) {
 		uint32_t firstCode, lastCode, glyphOffset;
 		firstCode = getu32(font, table + (i * 12) + 16);