From f4c326c378aa25251ebd8e29db4d1ce42d26eaaa Mon Sep 17 00:00:00 2001
From: Eli Zaretskii <eliz@gnu.org>
Date: Fri, 15 May 2026 15:00:35 +0300
Subject: [PATCH] ; * src/sfnt.c (sfnt_read_cmap_format_12): Assert there's no
 overflow.

---
 src/sfnt.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/sfnt.c b/src/sfnt.c
index f778179a5ff..ab6a2d5e7bc 100644
--- a/src/sfnt.c
+++ b/src/sfnt.c
@@ -736,6 +736,7 @@ sfnt_read_cmap_format_12 (int fd,
     return NULL;
 
   /* Allocate a buffer of sufficient size.  */
+  eassert (length < UINT32_MAX - sizeof *format12);
   format12 = xmalloc (length + sizeof *format12);
   format12->format = header->format;
   format12->reserved = header->length;