[truetype] Fix VF check from 2018-09-12 (#54973).

* src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): Use correct offsets for estimates.
author: Ben Wagner <bungeman@google.com> 2018-11-07 00:47:44 +0100
committer: Werner Lemberg <wl@gnu.org> 2018-11-07 00:47:44 +0100
commit: fb0d66d04c4dd8d7f9604af1a6001b2737cb5098 (patch)
tree: 74ea224f37f99f208d94f8fb907fa2b9fb2ea703
parent: fbd24523461d57d38bd040d842f9fba2690545cd (diff)
download: freetype2-fb0d66d04c4dd8d7f9604af1a6001b2737cb5098.tar.gz
2 files changed, 9 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index 48e7836c6..2b8fce821 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2018-11-07  Ben Wagner  <bungeman@google.com>
+
+	[truetype] Fix VF check from 2018-09-12 (#54973).
+
+	* src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): Use correct
+	offsets for estimates.
+
 2018-11-06  Werner Lemberg  <wl@gnu.org>
 
 	[pshinter] Fix numeric overflow.
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index ae425e48e..8fda112b0 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -3725,8 +3725,8 @@
     offsetToData = FT_GET_USHORT();
 
     /* rough sanity test */
-    if ( offsetToData + ( tupleCount & GX_TC_TUPLE_COUNT_MASK ) * 4 >
-           dataSize )
+    if ( offsetToData > dataSize                                ||
+         ( tupleCount & GX_TC_TUPLE_COUNT_MASK ) * 4 > dataSize )
     {
       FT_TRACE2(( "TT_Vary_Apply_Glyph_Deltas:"
                   " invalid glyph variation array header\n" ));
author	Ben Wagner <bungeman@google.com>	2018-11-07 00:47:44 +0100
committer	Werner Lemberg <wl@gnu.org>	2018-11-07 00:47:44 +0100
commit	fb0d66d04c4dd8d7f9604af1a6001b2737cb5098 (patch)
tree	74ea224f37f99f208d94f8fb907fa2b9fb2ea703
parent	fbd24523461d57d38bd040d842f9fba2690545cd (diff)
download	freetype2-fb0d66d04c4dd8d7f9604af1a6001b2737cb5098.tar.gz