From 2f21205b61d5c0784f7a67519fed5753440daec9 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Fri, 25 Oct 2024 16:15:02 -0600
Subject: [PATCH] [CFF2] Lift uint16 VariationStore.length limitation

Fixes https://github.com/khaledhosny/ots/issues/290
---
 src/cff.cc | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/cff.cc b/src/cff.cc
index 95ff7f74..e8b8898f 100644
--- a/src/cff.cc
+++ b/src/cff.cc
@@ -588,19 +588,23 @@ bool ParsePrivateDictData(
 }
 
 bool ParseVariationStore(ots::OpenTypeCFF& out_cff, ots::Buffer& table) {
-  uint16_t length;
+  uint16_t encoded_length;
 
-  if (!table.ReadU16(&length)) {
+  if (!table.ReadU16(&encoded_length)) {
     return OTS_FAILURE();
   }
 
+  unsigned length = encoded_length;
+
   // Empty VariationStore is allowed.
   if (!length) {
     return true;
   }
 
-  if (length > table.remaining()) {
+  if (length != 65535 && length > table.remaining()) {
     return OTS_FAILURE();
+  } else {
+    length = table.remaining();
   }
 
   if (!ParseItemVariationStore(out_cff.GetFont(),