Only in b: 1.patch diff -dupr a/src/cairo-truetype-subset.c b/src/cairo-truetype-subset.c --- a/src/cairo-truetype-subset.c 2016-12-07 17:59:06.000000000 -0800 +++ b/src/cairo-truetype-subset.c 2017-10-10 16:52:02.064566920 -0700 @@ -1285,6 +1285,10 @@ _cairo_truetype_reverse_cmap (cairo_scal return CAIRO_INT_STATUS_UNSUPPORTED; size = be16_to_cpu (map->length); + /* minimum table size is 24 bytes */ + if (size < 24) + return CAIRO_INT_STATUS_UNSUPPORTED; + map = malloc (size); if (unlikely (map == NULL)) return _cairo_error (CAIRO_STATUS_NO_MEMORY);