kc3-lang/freetype

diff --git a/ChangeLog b/ChangeLog
index c0920a0..da6f77b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,19 @@
+2017-12-18  Werner Lemberg  <wl@gnu.org>
+
+	[sfnt] Fix charmap type 2 iterator (#52646).
+
+	The subsetted demo font of the report that exhibits the bug has a
+	very unusual type 2 cmap for Unicode(!): It contains only two
+	sub-headers, one for one-byte characters (covering the range 0x20 to
+	0xFA), and a second one for higher byte 0x01 (just for character
+	code U+0131).
+
+	Before this commit, the iterator wasn't able to correctly handle a
+	sub-header for higher byte 0x01.
+
+	* src/sfnt/ttcmap.c (tt_cmap2_char_next): Fix character increment
+	for outer loop.
+
 2017-12-18  Matthias Clasen  <matthias.clasen@gmail.com>
 
 	[truetype] Minor code beautification.
diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
index b995e5c..f6c02f9 100644
--- a/src/sfnt/ttcmap.c
+++ b/src/sfnt/ttcmap.c
@@ -547,9 +547,19 @@
         }
       }
 
-      /* jump to next sub-header, i.e. higher byte value */
+      /* If `charcode' is <= 0xFF, retry with `charcode + 1'.  If        */
+      /* `charcode' is 0x100 after the loop, do nothing since we have    */
+      /* just reached the first sub-header for two-byte character codes. */
+      /*                                                                 */
+      /* For all other cases, we jump to the next sub-header and adjust  */
+      /* `charcode' accordingly.                                         */
     Next_SubHeader:
-      charcode = FT_PAD_FLOOR( charcode, 256 ) + 256;
+      if ( charcode <= 0xFF )
+        charcode++;
+      else if ( charcode == 0x100 )
+        ;
+      else
+        charcode = FT_PAD_FLOOR( charcode, 0x100 ) + 0x100;
     }
 
   Exit: