From f0292bb9920aa1dbfed5f53861e7c7a89b35833a Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Mon, 24 Nov 2014 10:51:21 +0100
Subject: [PATCH] [sfnt] Fix Savannah bug #43680.

This adds an additional constraint to make the fix from 2013-01-25
really work.

* src/sfnt/ttsbit.c (tt_sbit_decoder_load_image) <index_format==4>:
Check `p' before `num_glyphs'.
---
 ChangeLog         | 10 ++++++++++
 src/sfnt/ttsbit.c |  3 ++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index f53d56b96..5eeb9c508 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2014-11-24  Werner Lemberg  <wl@gnu.org>
+
+	[sfnt] Fix Savannah bug #43680.
+
+	This adds an additional constraint to make the fix from 2013-01-25
+	really work.
+
+	* src/sfnt/ttsbit.c (tt_sbit_decoder_load_image) <index_format==4>:
+	Check `p' before `num_glyphs'.
+
 2014-11-24  Werner Lemberg  <wl@gnu.org>
 
 	[truetype] Fix Savannah bug #43679.
diff --git a/src/sfnt/ttsbit.c b/src/sfnt/ttsbit.c
index b37bd7dbb..c2db96c6d 100644
--- a/src/sfnt/ttsbit.c
+++ b/src/sfnt/ttsbit.c
@@ -1170,7 +1170,8 @@
         num_glyphs = FT_NEXT_ULONG( p );
 
         /* overflow check for p + ( num_glyphs + 1 ) * 4 */
-        if ( num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) )
+        if ( p + 4 > p_limit                                         ||
+             num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) )
           goto NoBitmap;
 
         for ( mm = 0; mm < num_glyphs; mm++ )