From 60d13bd432f56421ed63c5bf14a73e006e9bf7ad Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Mon, 21 Dec 2015 17:27:17 +0100
Subject: [PATCH] [type1] Avoid shift of negative numbers (#46732).

* src/type1/t1load.c (parse_subrs): Do it.
---
 ChangeLog          | 6 ++++++
 src/type1/t1load.c | 3 ++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index fa3273543..fee0e5ae3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-12-21  Werner Lemberg  <wl@gnu.org>
+
+	[type1] Avoid shift of negative numbers (#46732).
+
+	* src/type1/t1load.c (parse_subrs): Do it.
+
 2015-12-20  Werner Lemberg  <wl@gnu.org>
 
 	[type1, psaux] Handle large values of num_subrs correctly (#46692).
diff --git a/src/type1/t1load.c b/src/type1/t1load.c
index 3fb3cd28b..4cb6ef048 100644
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -1433,7 +1433,8 @@
     }
 
     /* we certainly need more than 8 bytes per subroutine */
-    if ( num_subrs > ( parser->root.limit - parser->root.cursor ) >> 3 )
+    if ( parser->root.limit > parser->root.cursor                      &&
+         num_subrs > ( parser->root.limit - parser->root.cursor ) >> 3 )
     {
       /*
        * There are two possibilities.  Either the font contains an invalid