From 8de39a7919ad1bbd433dd62810c91272b7095455 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Sat, 10 Oct 2015 13:34:11 +0200
Subject: [PATCH] [sfnt] Fix infinite loops with broken cmaps (#46167).

* src/sfnt/ttcmap.c (tt_cmap8_char_next, tt_cmap12_next): Take care
of border condidions (i.e., if the loops exit naturally).
---
 ChangeLog         | 7 +++++++
 src/sfnt/ttcmap.c | 6 ++++++
 2 files changed, 13 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 906222176..a3c7ac137 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2015-10-10  Werner Lemberg  <wl@gnu.org>
+
+	[sfnt] Fix infinite loops with broken cmaps (#46167).
+
+	* src/sfnt/ttcmap.c (tt_cmap8_char_next, tt_cmap12_next): Take care
+	of border condidions (i.e., if the loops exit naturally).
+
 2015-10-10  Werner Lemberg  <wl@gnu.org>
 
 	[truetype] More sanity tests for GX handling.
diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
index c4d9abdfe..f5725087b 100644
--- a/src/sfnt/ttcmap.c
+++ b/src/sfnt/ttcmap.c
@@ -1891,7 +1891,10 @@
         /* if `gindex' is invalid, the remaining values */
         /* in this group are invalid, too               */
         if ( gindex >= (FT_UInt)face->num_glyphs )
+        {
+          gindex = 0;
           continue;
+        }
 
         result = char_code;
         break;
@@ -2277,7 +2280,10 @@
         /* if `gindex' is invalid, the remaining values */
         /* in this group are invalid, too               */
         if ( gindex >= (FT_UInt)face->num_glyphs )
+        {
+          gindex = 0;
           continue;
+        }
 
         cmap->cur_charcode = char_code;
         cmap->cur_gindex   = gindex;