From fa6ac5ed1ca938aee6e7efb63231c16e039054a2 Mon Sep 17 00:00:00 2001
From: Po Lu <luangruo@yahoo.com>
Date: Wed, 29 Mar 2023 13:45:18 +0800
Subject: [PATCH] ; * src/sfnt.c (sfnt_read_avar_table): Fix sequencing
 problem.

---
 src/sfnt.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/sfnt.c b/src/sfnt.c
index 55739ced915..11b632ca555 100644
--- a/src/sfnt.c
+++ b/src/sfnt.c
@@ -13001,11 +13001,12 @@ sfnt_read_avar_table (int fd, struct sfnt_offset_subtable *subtable)
 
       /* Verify that words from here to buffer[1 + buffer[k] * 2], the
 	 next pairCount field, are within bounds.  */
-      if (k + 1 + buffer[k] * 2 > size / sizeof *buffer)
+      j = k + 1 + buffer[k] * 2;
+      if (j > size / sizeof *buffer)
 	goto bail1;
 
       /* Move to the next pairCount field.  */
-      k += 1 + buffer[k] * 2;
+      k = j;
     }
 
   /* Resize avar to min_size and start filling in various
-- 
2.39.2