From 3b6f9b58443798d5aca993ec0a5a497d8e173c66 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Fri, 25 Oct 2024 16:15:02 -0600
Subject: [PATCH] [CFF2] Lift uint16 VariationStore.length limitation

Fixes https://github.com/khaledhosny/ots/issues/290
---
 src/cff.cc | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/cff.cc b/src/cff.cc
index 95ff7f74..b1b8f31e 100644
--- a/src/cff.cc
+++ b/src/cff.cc
@@ -588,19 +588,25 @@ bool ParsePrivateDictData(
 }
 
 bool ParseVariationStore(ots::OpenTypeCFF& out_cff, ots::Buffer& table) {
-  uint16_t length;
+  uint16_t encoded_length;
 
-  if (!table.ReadU16(&length)) {
+  if (!table.ReadU16(&encoded_length)) {
     return OTS_FAILURE();
   }
 
+  unsigned length = encoded_length;
+
   // Empty VariationStore is allowed.
   if (!length) {
     return true;
   }
 
-  if (length > table.remaining()) {
-    return OTS_FAILURE();
+  if (length != 65535) {
+    if (length > table.remaining()) {
+      return OTS_FAILURE();
+    }
+  } else {
+    length = table.remaining();
   }
 
   if (!ParseItemVariationStore(out_cff.GetFont(),