From d80b44afa46aa23b47331819b77d55ea5c59f570 Mon Sep 17 00:00:00 2001
From: Jonathan Kew <jfkthame@gmail.com>
Date: Sun, 19 Apr 2026 13:01:56 +0100
Subject: [PATCH] Range-check FDSelect value during CFF subsetting.

---
 src/cairo-cff-subset.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c
index 5a54c091a..a725c726d 100644
--- a/src/cairo-cff-subset.c
+++ b/src/cairo-cff-subset.c
@@ -1876,6 +1876,10 @@ cairo_cff_font_subset_fontdict (cairo_cff_font_t  *font)
 	}
 
         fd = font->fdselect[gid];
+        if (fd < 0 || (unsigned int) fd >= font->num_fontdicts) {
+            free (reverse_map);
+            return CAIRO_INT_STATUS_UNSUPPORTED;
+        }
         if (reverse_map[fd] < 0) {
             font->fd_subset_map[font->num_subset_fontdicts] = fd;
             reverse_map[fd] = font->num_subset_fontdicts++;