diff --git a/src/hb-aat-layout-kerx-table.hh b/src/hb-aat-layout-kerx-table.hh index 521c4c728..2d5489324 100644 --- a/src/hb-aat-layout-kerx-table.hh +++ b/src/hb-aat-layout-kerx-table.hh @@ -962,6 +962,11 @@ struct KerxTable unsigned int count = thiz()->tableCount; for (unsigned int i = 0; i < count; i++) { + if (unlikely (!st->u.header.sanitize (c))) + { + c->reset_object (); + return_trace (false); + } /* OpenType kern table has 2-byte subtable lengths. That's limiting. * MS implementation also only supports one subtable, of format 0, * anyway. Certain versions of some fonts, like Calibry, contain diff --git a/src/hb-aat-layout-morx-table.hh b/src/hb-aat-layout-morx-table.hh index 7a39eea8d..5b44a4cfa 100644 --- a/src/hb-aat-layout-morx-table.hh +++ b/src/hb-aat-layout-morx-table.hh @@ -1061,6 +1061,11 @@ struct Chain unsigned int count = subtableCount; for (unsigned int i = 0; i < count; i++) { + if (unlikely (!c->check_struct (subtable))) + { + c->reset_object (); + return_trace (false); + } c->set_object (*subtable); if (!subtable->sanitize (c)) return_trace (false);