[sfnt] Fix Savannah bug #43590.

* src/sfnt/ttload.c (check_table_dir, tt_face_load_font_dir):
Protect against addition overflow.

ChangeLog

@@ -1,3 +1,10 @@
+2014-11-12  Werner Lemberg  <wl@gnu.org>
+
+	[sfnt] Fix Savannah bug #43590.
+
+	* src/sfnt/ttload.c (check_table_dir, tt_face_load_font_dir):
+	Protect against addition overflow.
+
 2014-11-12  Werner Lemberg  <wl@gnu.org>
 
 	[sfnt] Fix Savannah bug #43589.

src/sfnt/ttload.c

@@ -5,7 +5,7 @@
 /*    Load the basic TrueType tables, i.e., tables that can be either in   */
 /*    TTF or OTF fonts (body).                                             */
 /*                                                                         */
-/*  Copyright 1996-2010, 2012, 2013 by                                     */
+/*  Copyright 1996-2010, 2012-2014 by                                      */
 /*  David Turner, Robert Wilhelm, and Werner Lemberg.                      */
 /*                                                                         */
 /*  This file is part of the FreeType project, and may only be used,       */
@@ -207,7 +207,10 @@
       }
 
       /* we ignore invalid tables */
-      if ( table.Offset + table.Length > stream->size )
+
+      /* table.Offset + table.Length > stream->size ? */
+      if ( table.Length > stream->size                ||
+           table.Offset > stream->size - table.Length )
       {
         FT_TRACE2(( "check_table_dir: table entry %d invalid\n", nn ));
         continue;
@@ -395,7 +398,10 @@
       entry->Length   = FT_GET_ULONG();
 
       /* ignore invalid tables */
-      if ( entry->Offset + entry->Length > stream->size )
+
+      /* entry->Offset + entry->Length > stream->size ? */
+      if ( entry->Length > stream->size                 ||
+           entry->Offset > stream->size - entry->Length )
         continue;
       else
       {