From d3668e00da732654b50e4e81f982544ed6e26390 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Fri, 5 Sep 2025 20:21:27 +0200
Subject: [PATCH] src/sfnt/ttload.c (tt_face_load_any): Correctly handle font
 containers.

Reported as

  https://issues.oss-fuzz.com/issues/424613326
---
 src/sfnt/sfobjs.c |  3 +++
 src/sfnt/ttload.c | 15 +++++++++++++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c
index 75411f759..20e5d2470 100644
--- a/src/sfnt/sfobjs.c
+++ b/src/sfnt/sfobjs.c
@@ -579,6 +579,9 @@
     if ( face_instance_index < 0 && face_index > 0 )
       face_index--;
 
+    /* Note that `face_index` is also used to enumerate elements */
+    /* of containers like a Mac Resource; this means we must     */
+    /* check whether we actually have a TTC.                     */
     if ( face_index >= face->ttc_header.count )
     {
       if ( face_instance_index >= 0 )
diff --git a/src/sfnt/ttload.c b/src/sfnt/ttload.c
index f64ce8890..26c7301d3 100644
--- a/src/sfnt/ttload.c
+++ b/src/sfnt/ttload.c
@@ -585,8 +585,19 @@
     }
     else if ( tag == 1 )
     {
-      /* The currently selected font's table directory. */
-      offset += face->ttc_header.offsets[face->root.face_index & 0xFFFF];
+      /* The currently selected font's table directory.            */
+      /*                                                           */
+      /* Note that `face_index` is also used to enumerate elements */
+      /* of containers like a Mac Resource; this means we must     */
+      /* check whether we actually have a TTC (with multiple table */
+      /* directories).                                             */
+      FT_Long  idx = face->root.face_index & 0xFFFF;
+
+
+      if ( idx >= face->ttc_header.count )
+        idx = 0;
+
+      offset += face->ttc_header.offsets[idx];
       size    = 4 + 8 + 16 * face->num_tables;
     }
     else