From 2de6b8a3db5f8544a42276364b3dcc1ec7024d67 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Sat, 17 Jul 2010 13:39:50 +0200
Subject: [PATCH] [cff] Final try to fix `hintmask' and `cntrmask' limit check.

Problem reported by Tobias Wolf <towolf@gmail.com>.

* src/cff/cffgload.c (cff_decoder_parse_charstrings)
<cff_op_hintmask>: Sigh.  I'm apparently too silly to fix this
correctly in less than three tries.
---
 ChangeLog          | 10 ++++++++++
 src/cff/cffgload.c |  2 +-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index df818eed4..334a23de8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2010-07-17  Werner Lemberg  <wl@gnu.org>
+
+	[cff] Final try to fix `hintmask' and `cntrmask' limit check.
+
+	Problem reported by Tobias Wolf <towolf@gmail.com>.
+
+	* src/cff/cffgload.c (cff_decoder_parse_charstrings)
+	<cff_op_hintmask>: Sigh.  I'm apparently too silly to fix this
+	correctly in less than three tries.
+
 2010-07-12  Werner Lemberg  <wl@gnu.org>
 
 	* Version 2.4.0 released.
diff --git a/src/cff/cffgload.c b/src/cff/cffgload.c
index 4a5f8f006..347041cfe 100644
--- a/src/cff/cffgload.c
+++ b/src/cff/cffgload.c
@@ -1344,7 +1344,7 @@
           /* instruction).  Additionally, there must be space for  */
           /* `num_hints' bits.                                     */
 
-          if ( ( ip + 1 + ( ( decoder->num_hints + 7 ) >> 3 ) ) >= limit )
+          if ( ( ip + ( ( decoder->num_hints + 7 ) >> 3 ) ) >= limit )
             goto Syntax_Error;
 
           if ( hinter )