diff --git a/ChangeLog b/ChangeLog index fa3273543..fee0e5ae3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2015-12-21 Werner Lemberg + + [type1] Avoid shift of negative numbers (#46732). + + * src/type1/t1load.c (parse_subrs): Do it. + 2015-12-20 Werner Lemberg [type1, psaux] Handle large values of num_subrs correctly (#46692). diff --git a/src/type1/t1load.c b/src/type1/t1load.c index 3fb3cd28b..4cb6ef048 100644 --- a/src/type1/t1load.c +++ b/src/type1/t1load.c @@ -1433,7 +1433,8 @@ } /* we certainly need more than 8 bytes per subroutine */ - if ( num_subrs > ( parser->root.limit - parser->root.cursor ) >> 3 ) + if ( parser->root.limit > parser->root.cursor && + num_subrs > ( parser->root.limit - parser->root.cursor ) >> 3 ) { /* * There are two possibilities. Either the font contains an invalid