From d6215451fad244c6947dc6f67c039969853e6b12 Mon Sep 17 00:00:00 2001 From: Po Lu Date: Mon, 25 May 2026 11:29:32 +0800 Subject: [PATCH] Fix parsing of font metadata tables on Android * src/sfnt.c (sfnt_read_meta_table): Allocate `directory->length' bytes after the map rather than in place of it. --- src/sfnt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/sfnt.c b/src/sfnt.c index 4e4e2e121e6..956b89d3efb 100644 --- a/src/sfnt.c +++ b/src/sfnt.c @@ -5856,7 +5856,7 @@ sfnt_read_meta_table (int fd, struct sfnt_offset_subtable *subtable) if (ckd_mul (&map_size, sizeof *meta->data_maps, meta->num_data_maps) /* Do so while checking for overflow from bad sfnt files. */ || directory->length - required < map_size - || ckd_add (&data_size, data_size, directory->length)) + || ckd_add (&data_size, map_size, directory->length)) { xfree (meta); return NULL;