From 6fa8725a416735a9cf62b68b8aa146144c1e471e Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Fri, 9 May 2025 13:25:34 +0200
Subject: [PATCH] [sfnt] Avoid allocation bomb in compressed SVG documents.

Reported as

  https://issues.oss-fuzz.com/issues/416538625

* src/sfnt/ttsvg.c (MAX_SVG_SIZE): New macro.
  (tt_face_load_svg_doc): Reject too large buffer.
---
 src/sfnt/ttsvg.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/sfnt/ttsvg.c b/src/sfnt/ttsvg.c
index 298afd8b5..ee724ba7f 100644
--- a/src/sfnt/ttsvg.c
+++ b/src/sfnt/ttsvg.c
@@ -46,6 +46,9 @@
                                          SVG_DOCUMENT_LIST_MINIMUM_SIZE)
 
 
+  /* An arbitrary, heuristic size limit (67MByte) for expanded SVG data. */
+#define MAX_SVG_SIZE  ( 1 << 26 )
+
   typedef struct  Svg_
   {
     FT_UShort  version;                 /* table version (starting at 0)  */
@@ -346,6 +349,13 @@
                     (FT_ULong)doc[doc_length - 3] << 8  |
                     (FT_ULong)doc[doc_length - 4];
 
+      if ( uncomp_size >= MAX_SVG_SIZE )
+      {
+        FT_ERROR(( "Uncompressed SVG document too large.\n" ));
+        error = FT_THROW( Array_Too_Large );
+        goto Exit;
+      }
+
       if ( FT_QALLOC( uncomp_buffer, uncomp_size ) )
         goto Exit;