From df2cf43e94fcf43d2d4b7574495eb3a0a9d5858a Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Fri, 16 Dec 2016 11:38:20 +0100
Subject: [PATCH] [truetype] Fix `cvar' sanity test.

Reported by Dave Arnold.

* src/truetype/ttgxvar.c (tt_face_vary_cvt): Use tuple count mask.
---
 ChangeLog              | 8 ++++++++
 src/truetype/ttgxvar.c | 3 ++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 8fed6a2a3..b89a08255 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2016-12-16  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Fix `cvar' sanity test.
+
+	Reported by Dave Arnold.
+
+	* src/truetype/ttgxvar.c (tt_face_vary_cvt): Use tuple count mask.
+
 2016-12-16  Werner Lemberg  <wl@gnu.org>
 
 	[cff, truetype] Remove compiler warnings; fix `make multi'.
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index dae0cb7ed..12a316036 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -2020,7 +2020,8 @@
     offsetToData = FT_GET_USHORT();
 
     /* rough sanity test */
-    if ( offsetToData + tupleCount * 4 > table_len )
+    if ( offsetToData + ( tupleCount & GX_TC_TUPLE_COUNT_MASK ) * 4 >
+           table_len )
     {
       FT_TRACE2(( "tt_face_vary_cvt:"
                   " invalid CVT variation array header\n" ));