Only in b: 1.patch
diff -dupr a/src/cairo-truetype-subset.c b/src/cairo-truetype-subset.c
--- a/src/cairo-truetype-subset.c	2016-12-07 17:59:06.000000000 -0800
+++ b/src/cairo-truetype-subset.c	2017-10-10 16:52:02.064566920 -0700
@@ -1285,6 +1285,10 @@ _cairo_truetype_reverse_cmap (cairo_scal
 	return CAIRO_INT_STATUS_UNSUPPORTED;
 
     size = be16_to_cpu (map->length);
+    /* minimum table size is 24 bytes */
+    if (size < 24)
+	return CAIRO_INT_STATUS_UNSUPPORTED;
+
     map = malloc (size);
     if (unlikely (map == NULL))
 	return _cairo_error (CAIRO_STATUS_NO_MEMORY);