From 1c85479d2d1de54a4b592ffbef0ae24f498053d2 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Tue, 4 Jul 2017 08:08:54 +0200
Subject: [PATCH] [truetype] Prevent address overflow (#51365).

* src/truetype/ttgxvar.c (FT_Stream_SeekSet): Add guard.
---
 ChangeLog              | 6 ++++++
 src/truetype/ttgxvar.c | 6 ++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 8b2d72275..f1ca0f516 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2017-07-04  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Prevent address overflow (#51365).
+
+	* src/truetype/ttgxvar.c (FT_Stream_SeekSet): Add guard.
+
 2017-07-03  Alexei Podtelezhnikov  <apodtele@gmail.com>
 
 	* src/base/ftlcdfil.c (ft_lcd_filter_fir): Improve code.
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index f2049796d..9125afd10 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -60,8 +60,10 @@
 
 #define FT_Stream_FTell( stream )                         \
           (FT_ULong)( (stream)->cursor - (stream)->base )
-#define FT_Stream_SeekSet( stream, off )                  \
-          ( (stream)->cursor = (stream)->base + (off) )
+#define FT_Stream_SeekSet( stream, off )                                  \
+          (stream)->cursor = ( (off) < (stream)->limit - (stream)->base ) \
+                               ? (stream)->base + (off)                   \
+                               : (stream)->limit
 
 
   /*************************************************************************/