[sfnt] Fix bounds check in SVG.
The SVG_DOCUMENT_LIST_MINIMUM_SIZE
macro is non trivial and not
protected by parentheses. As a result, the expression
table_size - SVG_DOCUMENT_LIST_MINIMUM_SIZE
expands to
table_size - 2U + SVG_DOCUMENT_RECORD_SIZE
instead of the expected
table_size - (2U + SVG_DOCUMENT_RECORD_SIZE)
. This causes an incorrect
bounds check which may lead to reading past the end of the SVG
table.
- src/sfnt/ttsvg.c (tt_face_load_svg): wrap macro definitions in parentheses.
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45179