From 6a19a7d332c5446542196e5aeda0ede109ef097b Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Mon, 26 Oct 2015 15:40:22 +0100
Subject: [PATCH] [truetype] Fix sanitizing logic for `loca' (#46223).

* src/truetype/ttpload.c (tt_face_load_loca): A thinko caused an
incorrect adjustment of the number of glyphs, most often using far
too large values.
---
 ChangeLog              |  8 ++++++++
 src/truetype/ttpload.c | 12 ++++++++----
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index f427eb0bd..a19acf07b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2015-10-26  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Fix sanitizing logic for `loca' (#46223).
+
+	* src/truetype/ttpload.c (tt_face_load_loca): A thinko caused an
+	incorrect adjustment of the number of glyphs, most often using far
+	too large values.
+
 2015-10-25  Werner Lemberg  <wl@gnu.org>
 
 	[autofit] Improve tracing.
diff --git a/src/truetype/ttpload.c b/src/truetype/ttpload.c
index 814c90c3d..9bf67f963 100644
--- a/src/truetype/ttpload.c
+++ b/src/truetype/ttpload.c
@@ -124,8 +124,9 @@
         TT_Table  entry = face->dir_tables;
         TT_Table  limit = entry + face->num_tables;
 
-        FT_Long   pos  = (FT_Long)FT_STREAM_POS();
-        FT_Long   dist = 0x7FFFFFFFL;
+        FT_Long  pos   = (FT_Long)FT_STREAM_POS();
+        FT_Long  dist  = 0x7FFFFFFFL;
+        FT_Bool  found = 0;
 
 
         /* compute the distance to next table in font file */
@@ -135,10 +136,13 @@
 
 
           if ( diff > 0 && diff < dist )
-            dist = diff;
+          {
+            dist  = diff;
+            found = 1;
+          }
         }
 
-        if ( entry == limit )
+        if ( !found )
         {
           /* `loca' is the last table */
           dist = (FT_Long)stream->size - pos;