From 86365d847b9e02a6712bca069a2465d1222c573c Mon Sep 17 00:00:00 2001
From: Jonathan Kew <jfkthame@googlemail.com>
Date: Sat, 18 Apr 2026 13:17:19 +0000
Subject: [PATCH] [cff-subset] check subrs offset is within font data

---
 src/cairo-cff-subset.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c
index 8a7de0065..5a54c091a 100644
--- a/src/cairo-cff-subset.c
+++ b/src/cairo-cff-subset.c
@@ -930,6 +930,8 @@ cairo_cff_font_read_private_dict (cairo_cff_font_t   *font,
     if (operand) {
         decode_integer (operand, &offset);
         p = ptr + offset;
+        if (unlikely (p < font->data || p > font->data_end))
+            return CAIRO_INT_STATUS_UNSUPPORTED;
         status = cff_index_read (local_sub_index, &p, font->data_end);
 	if (unlikely (status))
 	    return status;