From: Chris Liddell <chris.liddell@artifex.com>
Date: Thu, 15 Jun 2017 09:05:20 +0100
Subject: Bug 698056: make bounds check in gx_ttfReader__Read more robust
Origin: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=937ccd17ac65935633b2ebc06cb7089b91e17e6b
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9727
Bug-Debian: https://bugs.debian.org/869913
Bug: http://bugs.ghostscript.com/show_bug.cgi?id=698056

---
 base/gxttfb.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/base/gxttfb.c b/base/gxttfb.c
index 0e9a444e5..e1561af07 100644
--- a/base/gxttfb.c
+++ b/base/gxttfb.c
@@ -79,7 +79,8 @@ static void gx_ttfReader__Read(ttfReader *self, void *p, int n)
     if (!r->error) {
         if (r->extra_glyph_index != -1) {
             q = r->glyph_data.bits.data + r->pos;
-            r->error = (r->glyph_data.bits.size - r->pos < n ?
+            r->error = ((r->pos >= r->glyph_data.bits.size ||
+                        r->glyph_data.bits.size - r->pos < n) ?
                             gs_note_error(gs_error_invalidfont) : 0);
             if (r->error == 0)
                 memcpy(p, q, n);
-- 
2.14.2