From a5c79499e3ef9723504e36af3ba7b98435501166 Mon Sep 17 00:00:00 2001
From: Po Lu <luangruo@yahoo.com>
Date: Thu, 10 Aug 2023 08:58:04 +0800
Subject: [PATCH] Fix crash when reading TTC font for glyph mapping table
 selection

* src/sfnt.c (sfnt_read_cmap_table): Seek to the table directory
if DESC->offset is provided.
* src/sfntfont.c (sfntfont_read_cmap): Accurately verify cmap
subtable header size.  (bug#65185)
---
 src/sfnt.c     |  2 +-
 src/sfntfont.c | 15 ++++++++++++++-
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/sfnt.c b/src/sfnt.c
index 876db70bcda..8ccb672c5d5 100644
--- a/src/sfnt.c
+++ b/src/sfnt.c
@@ -1006,7 +1006,7 @@ sfnt_read_cmap_table (int fd, struct sfnt_offset_subtable *subtable,
       /* Read the common part of the new subtable.  */
       rc = read (fd, &(*subtables)[i], sizeof (*subtables)[i]);
 
-      if (rc < sizeof (*subtables))
+      if (rc < sizeof (*subtables)[i])
 	{
 	  xfree (cmap);
 	  xfree (*subtables);
diff --git a/src/sfntfont.c b/src/sfntfont.c
index 6927b185721..22e7f0e3832 100644
--- a/src/sfntfont.c
+++ b/src/sfntfont.c
@@ -1341,9 +1341,22 @@ sfntfont_read_cmap (struct sfnt_font_desc *desc,
   if (fd < 0)
     return;
 
+  /* Seek to the start of the font itself within its collection.  */
+
+  if (desc->offset
+      && lseek (fd, desc->offset, SEEK_SET) != desc->offset)
+    {
+      emacs_close (fd);
+      return;
+    }
+
   font = sfnt_read_table_directory (fd);
 
-  if (!font)
+  /* Return if FONT is a TrueType collection: the file pointer should
+     already have been moved to the start of the table directory if
+     so.  */
+
+  if (!font || font == (struct sfnt_offset_subtable *) -1)
     {
       emacs_close (fd);
       return;
-- 
2.39.5