From 5c84fb0b1bcc5fd773a5aae88871f347e84d12a1 Mon Sep 17 00:00:00 2001
From: XavLim <50736074+XavLimSG@users.noreply.github.com>
Date: Mon, 6 Apr 2026 15:55:34 +0000
Subject: [PATCH] Fix uint16 underflow in ReadGlyph causing
 memory-amplification DoS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Validate that endPtsOfContours values are monotonically increasing in
ReadGlyph(). The TrueType spec requires this, but it was not enforced.

When endPtsOfContours values decrease, the uint16 subtraction at
glyph.cc:98 wraps to a large value (up to 65535), causing each
affected contour to allocate ~65K Point structs. A crafted font
with alternating high/low endpoint values triggers massive heap
allocations from tiny input — a 2.3 KB font forces 191 MB of RSS
in the real woff2_compress binary (85,063x amplification). With
more contours this scales to 12+ GB.

The fix rejects fonts with non-monotonic endPtsOfContours before
the subtraction occurs.
---
 src/glyph.cc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/glyph.cc b/src/glyph.cc
index 5b49486..e0c72d2 100644
--- a/src/glyph.cc
+++ b/src/glyph.cc
@@ -95,6 +95,12 @@ bool ReadGlyph(const uint8_t* data, size_t len, Glyph* glyph) {
       if (!buffer.ReadU16(&point_index)) {
         return FONT_COMPRESSION_FAILURE();
       }
+      // endPtsOfContours must be monotonically increasing per the TrueType
+      // spec. A decreasing value wraps the uint16 subtraction below, causing
+      // huge allocations from small inputs (memory-amplification DoS).
+      if (i > 0 && point_index < last_point_index) {
+        return FONT_COMPRESSION_FAILURE();
+      }
       uint16_t num_points = point_index - last_point_index + (i == 0 ? 1 : 0);
       glyph->contours[i].resize(num_points);
       last_point_index = point_index;