From fb0d66d04c4dd8d7f9604af1a6001b2737cb5098 Mon Sep 17 00:00:00 2001
From: Ben Wagner <bungeman@google.com>
Date: Wed, 7 Nov 2018 00:47:44 +0100
Subject: [PATCH] [truetype] Fix VF check from 2018-09-12 (#54973).

* src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): Use correct
offsets for estimates.
---
 ChangeLog              | 7 +++++++
 src/truetype/ttgxvar.c | 4 ++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 48e7836c6..2b8fce821 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2018-11-07  Ben Wagner  <bungeman@google.com>
+
+	[truetype] Fix VF check from 2018-09-12 (#54973).
+
+	* src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): Use correct
+	offsets for estimates.
+
 2018-11-06  Werner Lemberg  <wl@gnu.org>
 
 	[pshinter] Fix numeric overflow.
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index ae425e48e..8fda112b0 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -3725,8 +3725,8 @@
     offsetToData = FT_GET_USHORT();
 
     /* rough sanity test */
-    if ( offsetToData + ( tupleCount & GX_TC_TUPLE_COUNT_MASK ) * 4 >
-           dataSize )
+    if ( offsetToData > dataSize                                ||
+         ( tupleCount & GX_TC_TUPLE_COUNT_MASK ) * 4 > dataSize )
     {
       FT_TRACE2(( "TT_Vary_Apply_Glyph_Deltas:"
                   " invalid glyph variation array header\n" ));