From 8edfcbed53f669279b5d7dccea72d0903b75ee9c Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Sat, 17 Oct 2015 08:11:16 +0200
Subject: [PATCH] [psaux] Fix heap buffer overflow (#46221).

* src/psaux/t1decode.c (t1_decoder_parse_charstring) <operator 12>:
Fix limit check.
---
 ChangeLog            | 9 ++++++++-
 src/psaux/t1decode.c | 2 +-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 442b4f3b7..8e081266b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,11 @@
-2015-10-15  Werner Lemberg  <wl@gnu.org>
+2015-10-17  Werner Lemberg  <wl@gnu.org>
+
+	[psaux] Fix heap buffer overflow (#46221).
+
+	* src/psaux/t1decode.c (t1_decoder_parse_charstring) <operator 12>:
+	Fix limit check.
+
+2015-10-17  Werner Lemberg  <wl@gnu.org>
 
 	* src/cid/cidload.c (cid_parse_dict): Handle invalid input (#46220).
 
diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c
index 2e199286f..c2d080e68 100644
--- a/src/psaux/t1decode.c
+++ b/src/psaux/t1decode.c
@@ -512,7 +512,7 @@
         break;
 
       case 12:
-        if ( ip > limit )
+        if ( ip >= limit )
         {
           FT_ERROR(( "t1_decoder_parse_charstrings:"
                      " invalid escape (12+EOF)\n" ));