From dfc9a049ded53e2ca5c9b935f912a476d6f676ed Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Thu, 5 Dec 2019 08:44:30 +0100
Subject: [PATCH] * src/truetype/ttinterp.c (TT_RunIns): Use `FT_OFFSET'.

Reported as

  https://bugs.chromium.org/p/chromium/issues/detail?id=1030614
---
 ChangeLog               | 8 ++++++++
 src/truetype/ttinterp.c | 2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 1660afa9b..0506b2a96 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2019-12-05  Werner Lemberg  <wl@gnu.org>
+
+	* src/truetype/ttinterp.c (TT_RunIns): Use `FT_OFFSET'.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/chromium/issues/detail?id=1030614
+
 2019-12-03  Werner Lemberg  <wl@gnu.org>
 
 	More nullptr offset UBSan warnings (#57331, #57347).
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index 1357890f6..cedc4a522 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -8567,7 +8567,7 @@
         case FT_ERR( Invalid_Opcode ):
           {
             TT_DefRecord*  def   = exc->IDefs;
-            TT_DefRecord*  limit = def + exc->numIDefs;
+            TT_DefRecord*  limit = FT_OFFSET( def, exc->numIDefs );
 
 
             for ( ; def < limit; def++ )