[sfnt] Fix Savannah bug #43589. * src/sfnt/sfobjs.c (woff_open_font): Protect against addition overflow.
diff --git a/ChangeLog b/ChangeLog
index 5db1130..417af86 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2014-11-12 Werner Lemberg <wl@gnu.org>
+ [sfnt] Fix Savannah bug #43589.
+
+ * src/sfnt/sfobjs.c (woff_open_font): Protect against addition
+ overflow.
+
+2014-11-12 Werner Lemberg <wl@gnu.org>
+
[sfnt] Fix Savannah bug #43588.
* src/sfnt/ttcmap.c (tt_cmap8_validate, tt_cmap10_validate,
diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c
index cfea9cd..70b988d 100644
--- a/src/sfnt/sfobjs.c
+++ b/src/sfnt/sfobjs.c
@@ -567,8 +567,10 @@
if ( table->Offset != woff_offset ||
- table->Offset + table->CompLength > woff.length ||
- sfnt_offset + table->OrigLength > woff.totalSfntSize ||
+ table->CompLength > woff.length ||
+ table->Offset > woff.length - table->CompLength ||
+ table->OrigLength > woff.totalSfntSize ||
+ sfnt_offset > woff.totalSfntSize - table->OrigLength ||
table->CompLength > table->OrigLength )
{
error = FT_THROW( Invalid_Table );