[glyf] Add an edge-count limit

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55246

src/OT/glyf/Glyph.hh

@@ -207,9 +207,14 @@ struct Glyph
 		   bool use_my_metrics = true,
 		   bool phantom_only = false,
 		   hb_array_t<int> coords = hb_array_t<int> (),
-		   unsigned int depth = 0) const
+		   unsigned int depth = 0,
+		   unsigned *edge_count = nullptr) const
   {
     if (unlikely (depth > HB_MAX_NESTING_LEVEL)) return false;
+    unsigned stack_edge_count = 0;
+    if (!edge_count) edge_count = &stack_edge_count;
+    if (unlikely (*edge_count > HB_GLYF_MAX_EDGE_COUNT)) return false;
+    (*edge_count)++;
 
     if (!coords)
       coords = hb_array (font->coords, font->num_coords);
@@ -316,7 +321,8 @@ struct Glyph
 						    use_my_metrics,
 						    phantom_only,
 						    coords,
-						    depth + 1)))
+						    depth + 1,
+						    edge_count)))
 	  return false;
 
 	/* Copy phantom points from component if USE_MY_METRICS flag set */
@@ -381,7 +387,8 @@ struct Glyph
 						    use_my_metrics,
 						    phantom_only,
 						    coord_setter.get_coords (),
-						    depth + 1)))
+						    depth + 1,
+						    edge_count)))
 	  return false;
 
 	/* Apply component transformation */

src/hb-limits.hh

@@ -93,6 +93,10 @@
 #define HB_GLYF_MAX_POINTS 10000
 #endif
 
+#ifndef HB_GLYF_MAX_EDGE_COUNT
+#define HB_GLYF_MAX_EDGE_COUNT 1024
+#endif
+
 #ifndef HB_CFF_MAX_OPS
 #define HB_CFF_MAX_OPS 10000
 #endif