[kerx/morx] Make sure object length is sanitized before accessing it

src/hb-aat-layout-kerx-table.hh

@@ -962,6 +962,11 @@ struct KerxTable
     unsigned int count = thiz()->tableCount;
     for (unsigned int i = 0; i < count; i++)
     {
+      if (unlikely (!st->u.header.sanitize (c)))
+      {
+	c->reset_object ();
+	return_trace (false);
+      }
       /* OpenType kern table has 2-byte subtable lengths.  That's limiting.
        * MS implementation also only supports one subtable, of format 0,
        * anyway.  Certain versions of some fonts, like Calibry, contain

src/hb-aat-layout-morx-table.hh

@@ -1061,6 +1061,11 @@ struct Chain
     unsigned int count = subtableCount;
     for (unsigned int i = 0; i < count; i++)
     {
+      if (unlikely (!c->check_struct (subtable)))
+      {
+	c->reset_object ();
+	return_trace (false);
+      }
       c->set_object (*subtable);
       if (!subtable->sanitize (c))
 	return_trace (false);