From 87fefc594eeea8064766b397c93d685e261e2989 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Wed, 21 Oct 2015 20:29:12 +0200
Subject: [PATCH] [type42] Fix heap buffer overflow (#46269).

* src/type42/t42parse.c (t42_parse_sfnts): Fix off-by-one error in
bounds checking.
---
 ChangeLog             | 7 +++++++
 src/type42/t42parse.c | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 5d25e0ff7..e4ebfdbbe 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2015-10-21  Werner Lemberg  <wl@gnu.org>
+
+	[type42] Fix heap buffer overflow (#46269).
+
+	* src/type42/t42parse.c (t42_parse_sfnts): Fix off-by-one error in
+	bounds checking.
+
 2015-10-21  Dave Arnold  <darnold@adobe.com>
 
 	[cff] Fix limit in assert for max hints.
diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c
index 3bcf97eda..5e352a21e 100644
--- a/src/type42/t42parse.c
+++ b/src/type42/t42parse.c
@@ -640,7 +640,7 @@
 
         string_buf = parser->root.cursor + 1;   /* one space after `RD' */
 
-        if ( (FT_ULong)( limit - parser->root.cursor ) < string_size )
+        if ( (FT_ULong)( limit - parser->root.cursor ) <= string_size )
         {
           FT_ERROR(( "t42_parse_sfnts: too much binary data\n" ));
           error = FT_THROW( Invalid_File_Format );