From 5614090725658439e7b4260c50a031c7355bab2a Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Wed, 26 Oct 2016 08:10:59 +0200
Subject: [PATCH] * src/type1/t1load.c (parse_subrs): Fix limit check.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=81
---
 ChangeLog          | 8 ++++++++
 src/type1/t1load.c | 2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 5dd973ef5..1cd94bb52 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2016-10-26  Werner Lemberg  <wl@gnu.org>
+
+	* src/type1/t1load.c (parse_subrs): Fix limit check.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=81
+
 2016-10-25  Alexei Podtelezhnikov  <apodtele@gmail.com>
 
 	[cff] Correct cmap format reporting (#24819).
diff --git a/src/type1/t1load.c b/src/type1/t1load.c
index aa259198f..c573a469a 100644
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -1433,7 +1433,7 @@
     }
 
     /* we certainly need more than 8 bytes per subroutine */
-    if ( parser->root.limit > parser->root.cursor                      &&
+    if ( parser->root.limit >= parser->root.cursor                     &&
          num_subrs > ( parser->root.limit - parser->root.cursor ) >> 3 )
     {
       /*