From 00968d8fd62105061d92e69b5ccd44077a5a6a9f Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Sun, 29 Jul 2018 10:22:59 +0200
Subject: [PATCH] * src/pcf/pcfread.c (pcf_get_encodings): Another thinko.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9608
---
 ChangeLog         | 8 ++++++++
 src/pcf/pcfread.c | 3 ++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index f814bf4d6..578d00996 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2018-07-29  Werner Lemberg  <wl@gnu.org>
+
+	* src/pcf/pcfread.c (pcf_get_encodings): Another thinko.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9608
+
 2018-07-28  Alexei Podtelezhnikov  <apodtele@gmail.com>
 
 	[smooth] Fix Harmony memory management.
diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c
index 5cf2861d4..69a4b15d0 100644
--- a/src/pcf/pcfread.c
+++ b/src/pcf/pcfread.c
@@ -1054,7 +1054,8 @@ THE SOFTWARE.
     /* `stream->cursor' still points at the beginning of the frame; */
     /* we can thus easily get the offset to the default character   */
     pos = stream->cursor +
-            2 * ( ( defaultCharRow - (FT_UShort)firstRow ) * 256 +
+            2 * ( ( defaultCharRow - (FT_UShort)firstRow ) *
+                    ( lastCol - firstCol + 1 ) +
                   defaultCharCol - (FT_UShort)firstCol );
 
     if ( PCF_BYTE_ORDER( format ) == MSBFirst )