From d51a4722316efe0960994d371e1859099894d1ca Mon Sep 17 00:00:00 2001
From: Eli Zaretskii <eliz@gnu.org>
Date: Sat, 2 May 2026 14:17:14 +0300
Subject: [PATCH] ; * src/sfnt.c (sfnt_read_name_table): Avoid 32-bit overflow.

---
 src/sfnt.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/sfnt.c b/src/sfnt.c
index d9cf1fa1213..f778179a5ff 100644
--- a/src/sfnt.c
+++ b/src/sfnt.c
@@ -5792,6 +5792,10 @@ sfnt_read_name_table (int fd, struct sfnt_offset_subtable *subtable)
   if (directory->length < required)
     return NULL;
 
+  /* Avoid overflow in xmalloc argument below.  */
+  if (directory->length > UINT_MAX - sizeof *name)
+    return NULL;
+
   /* Allocate enough to hold the name table and variable length
      data.  */
   name = xmalloc (sizeof *name + directory->length);