[cff] Next try to fix `hintmask' and `cntrmask' limit check.

Problem reported by malc <av1474@comtv.ru>.

* src/cff/cffgload.c (cff_decoder_parse_charstrings)
<cff_op_hintmask>: It is possible that there is just a single byte
after the `hintmask' or `cntrmask', e.g., a `return' instruction.

1 files changed, 5 insertions, 5 deletions

diff --git a/src/cff/cffgload.c b/src/cff/cffgload.c
index f81b2f40a..4a5f8f006 100644
--- a/src/cff/cffgload.c
+++ b/src/cff/cffgload.c
@@ -1339,12 +1339,12 @@
             decoder->num_hints += num_args / 2;
           }
 
-          /* In a valid charstring there must be at least three bytes */
-          /* after `hintmask' or `cntrmask' (two for a `moveto'       */
-          /* operator and one for `endchar').  Additionally, there    */
-          /* must be space for `num_hints' bits.                      */
+          /* In a valid charstring there must be at least one byte */
+          /* after `hintmask' or `cntrmask' (e.g., for a `return'  */
+          /* instruction).  Additionally, there must be space for  */
+          /* `num_hints' bits.                                     */
 
-          if ( ( ip + 3 + ( ( decoder->num_hints + 7 ) >> 3 ) ) >= limit )
+          if ( ( ip + 1 + ( ( decoder->num_hints + 7 ) >> 3 ) ) >= limit )
             goto Syntax_Error;
 
           if ( hinter )