[truetype] Fix `cvar' sanity test.

Reported by Dave Arnold.

* src/truetype/ttgxvar.c (tt_face_vary_cvt): Use tuple count mask.

ChangeLog

@@ -1,3 +1,11 @@
+2016-12-16  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Fix `cvar' sanity test.
+
+	Reported by Dave Arnold.
+
+	* src/truetype/ttgxvar.c (tt_face_vary_cvt): Use tuple count mask.
+
 2016-12-16  Werner Lemberg  <wl@gnu.org>
 
 	[cff, truetype] Remove compiler warnings; fix `make multi'.

src/truetype/ttgxvar.c

@@ -2020,7 +2020,8 @@
     offsetToData = FT_GET_USHORT();
 
     /* rough sanity test */
-    if ( offsetToData + tupleCount * 4 > table_len )
+    if ( offsetToData + ( tupleCount & GX_TC_TUPLE_COUNT_MASK ) * 4 >
+           table_len )
     {
       FT_TRACE2(( "tt_face_vary_cvt:"
                   " invalid CVT variation array header\n" ));