From ac216972abd3803947d4f2208380648965d26e94 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Wed, 13 Jul 2022 15:32:19 -0600
Subject: [PATCH] [subset] Add table size blowup bound

Fixes https://github.com/harfbuzz/harfbuzz/issues/3091
---
 src/hb-subset.cc | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/hb-subset.cc b/src/hb-subset.cc
index 441b6fc0f..34ef923ba 100644
--- a/src/hb-subset.cc
+++ b/src/hb-subset.cc
@@ -242,10 +242,15 @@ _try_subset (const TableType *table,
 
   unsigned buf_size = buf->allocated;
   buf_size = buf_size * 2 + 16;
+
+
+
+
   DEBUG_MSG (SUBSET, nullptr, "OT::%c%c%c%c ran out of room; reallocating to %u bytes.",
              HB_UNTAG (c->table_tag), buf_size);
 
-  if (unlikely (!buf->alloc (buf_size)))
+  if (unlikely (buf_size > c->source_blob->length * 16 ||
+		!buf->alloc (buf_size)))
   {
     DEBUG_MSG (SUBSET, nullptr, "OT::%c%c%c%c failed to reallocate %u bytes.",
                HB_UNTAG (c->table_tag), buf_size);