From 257c270bd25e15890190a28a1456e7623bba4439 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Wed, 12 Nov 2014 21:42:13 +0100
Subject: [PATCH] [sfnt] Fix Savannah bug #43591.

* src/sfnt/ttsbit.c (tt_sbit_decoder_init): Protect against addition
and multiplication overflow.
---
 ChangeLog         | 7 +++++++
 src/sfnt/ttsbit.c | 8 +++++---
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index b42b929e0..a6465e746 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2014-11-12  Werner Lemberg  <wl@gnu.org>
+
+	[sfnt] Fix Savannah bug #43591.
+
+	* src/sfnt/ttsbit.c (tt_sbit_decoder_init): Protect against addition
+	and multiplication overflow.
+
 2014-11-12  Werner Lemberg  <wl@gnu.org>
 
 	[sfnt] Fix Savannah bug #43590.
diff --git a/src/sfnt/ttsbit.c b/src/sfnt/ttsbit.c
index da6b01ba4..b37bd7dbb 100644
--- a/src/sfnt/ttsbit.c
+++ b/src/sfnt/ttsbit.c
@@ -394,9 +394,11 @@
       p                          += 34;
       decoder->bit_depth          = *p;
 
-      if ( decoder->strike_index_array > face->sbit_table_size             ||
-           decoder->strike_index_array + 8 * decoder->strike_index_count >
-             face->sbit_table_size                                         )
+      /* decoder->strike_index_array +                               */
+      /*   8 * decoder->strike_index_count > face->sbit_table_size ? */
+      if ( decoder->strike_index_array > face->sbit_table_size           ||
+           decoder->strike_index_count >
+             ( face->sbit_table_size - decoder->strike_index_array ) / 8 )
         error = FT_THROW( Invalid_File_Format );
     }