From 38ecc949ce1bfe4ceb567df7d8c7daf1d620fd3a Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Sun, 22 Apr 2018 10:14:03 +0200
Subject: [PATCH] Another fix for handling invalid format 2 cmaps.

The previous commit was incomplete.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7928

* src/sfnt/ttcmap.c (tt_cmap2_char_next): Adjust condition to avoid
an endless loop.
---
 ChangeLog         | 15 ++++++++++++++-
 src/sfnt/ttcmap.c |  2 +-
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 57c617ee4..4dc8c552a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,16 @@
+2018-04-22  Werner Lemberg  <wl@gnu.org>
+
+	Another fix for handling invalid format 2 cmaps.
+
+	The previous commit was incomplete.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7928
+
+	* src/sfnt/ttcmap.c (tt_cmap2_char_next): Adjust condition to avoid
+	an endless loop.
+
 2018-04-19  Werner Lemberg  <wl@gnu.org
 
 	[autofit] Add support for Georgian Mtavruli characters.
@@ -9,7 +22,7 @@
 
 	* src/autofit/afscript.h: Add Mtavruli standard character.
 
-2018-03-13  Werner Lemberg  <wl@gnu.org>
+2018-04-18  Werner Lemberg  <wl@gnu.org>
 
 	Fix handling of invalid format 2 cmaps.
 
diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
index 71a3c1e34..07075cbc0 100644
--- a/src/sfnt/ttcmap.c
+++ b/src/sfnt/ttcmap.c
@@ -518,7 +518,7 @@
         FT_UInt   pos, idx;
 
 
-        if ( char_lo > start + count )
+        if ( char_lo > start + count && charcode <= 0xFF )
         {
           /* this happens only for a malformed cmap */
           charcode = 0x100;