From 012b4f2d48b602863330633cc0450b87200d778e Mon Sep 17 00:00:00 2001
From: Alexei Podtelezhnikov <apodtele@gmail.com>
Date: Fri, 8 Oct 2021 22:14:12 -0400
Subject: [PATCH] * src/cid/cidload.c (cid_face_open): Streamline CIDCount
 check.

---
 src/cid/cidload.c | 40 ++++++++++++++++++++--------------------
 1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/src/cid/cidload.c b/src/cid/cidload.c
index 75f3d4c8f..1f3f6d7c4 100644
--- a/src/cid/cidload.c
+++ b/src/cid/cidload.c
@@ -776,7 +776,6 @@
     CID_FaceInfo  cid = &face->cid;
 
     FT_ULong  binary_length;
-    FT_ULong  entry_len;
 
 
     cid_init_loader( &loader, face );
@@ -853,7 +852,24 @@
     }
 
     binary_length = face->cid_stream->size - cid->data_offset;
-    entry_len     = cid->fd_bytes + cid->gd_bytes;
+
+    if ( cid->cidmap_offset > binary_length )
+    {
+      FT_ERROR(( "cid_face_open: Invalid `CIDMapOffset' value\n" ));
+      error = FT_THROW( Invalid_File_Format );
+      goto Exit;
+    }
+
+    /* the initial pre-check prevents the multiplication overflow */
+    if ( cid->cid_count > FT_ULONG_MAX / 8                    ||
+         cid->cid_count * ( cid->fd_bytes + cid->gd_bytes ) >
+           binary_length - cid->cidmap_offset                 )
+    {
+      FT_ERROR(( "cid_face_open: Invalid `CIDCount' value\n" ));
+      error = FT_THROW( Invalid_File_Format );
+      goto Exit;
+    }
+
 
     for ( n = 0; n < cid->num_dicts; n++ )
     {
@@ -902,8 +918,8 @@
         goto Exit;
       }
 
-      /* The first condition prevents the multiplication overflow */
-      if ( dict->num_subrs > UINT_MAX / 4         ||
+      /* the initial pre-check prevents the multiplication overflow */
+      if ( dict->num_subrs > FT_UINT_MAX / 4      ||
            dict->num_subrs * dict->sd_bytes >
              binary_length - dict->subrmap_offset )
       {
@@ -913,22 +929,6 @@
       }
     }
 
-    if ( cid->cidmap_offset > binary_length )
-    {
-      FT_ERROR(( "cid_face_open: Invalid `CIDMapOffset' value\n" ));
-      error = FT_THROW( Invalid_File_Format );
-      goto Exit;
-    }
-
-    if ( entry_len                                            &&
-         cid->cid_count >
-           ( binary_length - cid->cidmap_offset ) / entry_len )
-    {
-      FT_ERROR(( "cid_face_open: Invalid `CIDCount' value\n" ));
-      error = FT_THROW( Invalid_File_Format );
-      goto Exit;
-    }
-
     /* we can now safely proceed */
     error = cid_read_subrs( face );