From f46add13895337ece929b18bb8f036431b3fb538 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Wed, 12 Nov 2014 21:06:08 +0100
Subject: [PATCH] [sfnt] Fix Savannah bug #43589.

* src/sfnt/sfobjs.c (woff_open_font): Protect against addition
overflow.
---
 ChangeLog         | 7 +++++++
 src/sfnt/sfobjs.c | 6 ++++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 5db11302e..417af863b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2014-11-12  Werner Lemberg  <wl@gnu.org>
+
+	[sfnt] Fix Savannah bug #43589.
+
+	* src/sfnt/sfobjs.c (woff_open_font): Protect against addition
+	overflow.
+
 2014-11-12  Werner Lemberg  <wl@gnu.org>
 
 	[sfnt] Fix Savannah bug #43588.
diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c
index cfea9cd0b..70b988d65 100644
--- a/src/sfnt/sfobjs.c
+++ b/src/sfnt/sfobjs.c
@@ -567,8 +567,10 @@
 
 
       if ( table->Offset != woff_offset                         ||
-           table->Offset + table->CompLength > woff.length      ||
-           sfnt_offset + table->OrigLength > woff.totalSfntSize ||
+           table->CompLength > woff.length                      ||
+           table->Offset > woff.length - table->CompLength      ||
+           table->OrigLength > woff.totalSfntSize               ||
+           sfnt_offset > woff.totalSfntSize - table->OrigLength ||
            table->CompLength > table->OrigLength                )
       {
         error = FT_THROW( Invalid_Table );