Limit the buffer size and execution time

[brawer]

To prevent attacks, impose an upper limit on buffer size and execution time when shaping text. For example, increment a counter on the number of executed OpenType lookups and give up when it gets excessive, and make sure that the rendering buffer does not get excessively large; check out how HarfBuzz does this. See test case GSUB-3.