From: Po Lu <luangruo@yahoo.com>
Date: Wed, 29 Mar 2023 05:45:18 +0000 (+0800)
Subject: ; * src/sfnt.c (sfnt_read_avar_table): Fix sequencing problem.
X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=fa6ac5ed1ca938aee6e7efb63231c16e039054a2;p=emacs.git

; * src/sfnt.c (sfnt_read_avar_table): Fix sequencing problem.
---

diff --git a/src/sfnt.c b/src/sfnt.c
index 55739ced915..11b632ca555 100644
--- a/src/sfnt.c
+++ b/src/sfnt.c
@@ -13001,11 +13001,12 @@ sfnt_read_avar_table (int fd, struct sfnt_offset_subtable *subtable)
 
       /* Verify that words from here to buffer[1 + buffer[k] * 2], the
 	 next pairCount field, are within bounds.  */
-      if (k + 1 + buffer[k] * 2 > size / sizeof *buffer)
+      j = k + 1 + buffer[k] * 2;
+      if (j > size / sizeof *buffer)
 	goto bail1;
 
       /* Move to the next pairCount field.  */
-      k += 1 + buffer[k] * 2;
+      k = j;
     }
 
   /* Resize avar to min_size and start filling in various