From 3d083fc213c7df18662e1c452b2f8ad56bfa2c4c Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Wed, 12 Jul 2017 00:24:48 +0200
Subject: * src/truetype/ttpload.c (tt_face_get_location): Off-by-one typo.

Also improve tracing message.

Problem reported as

  https://bugs.chromium.org/p/chromium/issues/detail?id=738919
---
 ChangeLog              | 10 ++++++++++
 src/truetype/ttpload.c |  8 ++++----
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index fc9efa84a..708c71aac 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2017-07-12  Werner Lemberg  <wl@gnu.org>
+
+	* src/truetype/ttpload.c (tt_face_get_location): Off-by-one typo.
+
+	Also improve tracing message.
+
+	Problem reported as
+
+	  https://bugs.chromium.org/p/chromium/issues/detail?id=738919
+
 2017-07-07  Werner Lemberg  <wl@gnu.org>
 
 	[cff] Integer overflow.
diff --git a/src/truetype/ttpload.c b/src/truetype/ttpload.c
index 70ac15da4..bcf6b34f6 100644
--- a/src/truetype/ttpload.c
+++ b/src/truetype/ttpload.c
@@ -247,13 +247,13 @@
     if ( pos2 > face->glyf_len )
     {
       /* We try to sanitize the last `loca' entry. */
-      if ( gindex == face->num_locations - 1 )
+      if ( gindex == face->num_locations - 2 )
       {
         FT_TRACE1(( "tt_face_get_location:"
-                    " too large offset (0x%08lx) found for glyph index %ld,\n"
+                    " too large size (%ld bytes) found for glyph index %ld,\n"
                     "                     "
-                    " truncating at the end of `glyf' table (0x%08lx)\n",
-                    pos2, gindex + 1, face->glyf_len ));
+                    " truncating at the end of `glyf' table to %ld bytes\n",
+                    pos2 - pos1, gindex, face->glyf_len - pos1 ));
         pos2 = face->glyf_len;
       }
       else
-- 
cgit v1.2.1