Fix parsing of font metadata tables on Android

* src/sfnt.c (sfnt_read_meta_table): Allocate `directory->length' bytes after the map rather than in place of it.
2026-06-14 04:21:24 +00:00 · 2026-05-25 11:29:32 +08:00 · 2026-05-25 11:29:32 +08:00 · d6215451fa
commit d6215451fa
parent 7cef362581
1 changed files with 1 additions and 1 deletions
--- a/src/sfnt.c
+++ b/src/sfnt.c
@ -5856,7 +5856,7 @@ sfnt_read_meta_table (int fd, struct sfnt_offset_subtable *subtable)
  if (ckd_mul (&map_size, sizeof *meta->data_maps, meta->num_data_maps)
      /* Do so while checking for overflow from bad sfnt files.  */
      || directory->length - required < map_size
-      || ckd_add (&data_size, data_size, directory->length))
+      || ckd_add (&data_size, map_size, directory->length))
    {
      xfree (meta);
      return NULL;