From 7c75b8a7bdd738192a6aa1556bc38f72b6019e88 Mon Sep 17 00:00:00 2001
From: Alexei Podtelezhnikov <apodtele@gmail.com>
Date: Thu, 1 Aug 2024 19:14:44 -0400
Subject: [PATCH] [truetype/GX] Use more robust conditions.

* src/truetype/ttgxvar.c (ft_var_readpacked{points,deltas}): Rewrite
conditions to avoid undefined behavior.
---
 src/truetype/ttgxvar.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index b4325b1f8..22de98f9e 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -187,7 +187,7 @@
 
       if ( runcnt & GX_PT_POINTS_ARE_WORDS )
       {
-        if ( p + 2 * cnt > stream->limit )
+        if ( 2 * cnt > (FT_UInt)( stream->limit - p ) )
           goto Fail;
 
         for ( j = 0; j < cnt; j++ )
@@ -198,7 +198,7 @@
       }
       else
       {
-        if ( p + cnt > stream->limit )
+        if ( cnt > (FT_UInt)( stream->limit - p ) )
           goto Fail;
 
         for ( j = 0; j < cnt; j++ )
@@ -274,9 +274,7 @@
     while ( i < delta_cnt )
     {
       if ( p >= stream->limit )
-      {
         goto Fail;
-      }
 
       runcnt = FT_NEXT_BYTE( p );
       cnt    = runcnt & GX_DT_DELTA_RUN_COUNT_MASK;
@@ -293,7 +291,7 @@
       }
       else if ( runcnt & GX_DT_DELTAS_ARE_WORDS )
       {
-        if ( p + 2 * cnt > stream->limit )
+        if ( 2 * cnt > (FT_UInt)( stream->limit - p ) )
           goto Fail;
 
         for ( j = 0; j < cnt; j++ )
@@ -301,7 +299,7 @@
       }
       else
       {
-        if ( p + cnt > stream->limit )
+        if ( cnt > (FT_UInt)( stream->limit - p ) )
           goto Fail;
 
         for ( j = 0; j < cnt; j++ )