From 95f206b1eab43f4e32119270151c44e46deae5d9 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Tue, 21 Mar 2006 20:47:28 +0000
Subject: [PATCH] * src/sfnt/ttcmap.c (tt_face_build_cmaps): Handle invalid
 offset correctly.

---
 ChangeLog         | 3 +++
 src/sfnt/ttcmap.c | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 480a6a68a..1f11d5677 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,9 @@
 	Check range of `glyph_index'.
 	* src/cff/cffgload.h: Updated.
 
+	* src/sfnt/ttcmap.c (tt_face_build_cmaps): Handle invalid offset
+	correctly.
+
 2006-03-21  David Turner  <david@freetype.org>
 
 	* src/autofit/aflatin.c (af_latin_metrics_scale): Fix small bug
diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
index 4c1a3402b..d8f2ae32e 100644
--- a/src/sfnt/ttcmap.c
+++ b/src/sfnt/ttcmap.c
@@ -2271,7 +2271,7 @@
       charmap.encoding    = FT_ENCODING_NONE;  /* will be filled later */
       offset              = TT_NEXT_ULONG( p );
 
-      if ( offset && table + offset + 2 <= limit )
+      if ( offset && offset <= face->cmap_size - 2 )
       {
         FT_Byte*                       cmap   = table + offset;
         volatile FT_UInt               format = TT_PEEK_USHORT( cmap );