From 01b508f2470a482308187a26b2a9af6bddce87e7 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Wed, 18 Jul 2012 10:38:54 +0200
Subject: [PATCH] Fix Savannah bug #36832.

* src/type1/t1load.c (parse_charstrings): Reject negative number of
glyphs.
---
 ChangeLog          | 7 +++++++
 src/type1/t1load.c | 6 ++++++
 2 files changed, 13 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 6b09d2eb3..19ccf318d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2012-07-16  Werner Lemberg  <wl@gnu.org>
+
+	Fix Savannah bug #36832.
+
+	* src/type1/t1load.c (parse_charstrings): Reject negative number of
+	glyphs.
+
 2012-07-13  Werner Lemberg  <wl@gnu.org>
 
 	Fix Savannah bug #36829.
diff --git a/src/type1/t1load.c b/src/type1/t1load.c
index c830f1b06..608496a13 100644
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -1514,6 +1514,12 @@
 
 
     num_glyphs = (FT_Int)T1_ToInt( parser );
+    if ( num_glyphs < 0 )
+    {
+      error = T1_Err_Invalid_File_Format;
+      goto Fail;
+    }
+
     /* some fonts like Optima-Oblique not only define the /CharStrings */
     /* array but access it also                                        */
     if ( num_glyphs == 0 || parser->root.error )