From f75ae3d06d0d5f483a81c1e155b9b91e564c5145 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Thu, 4 Dec 2025 07:48:05 +0100
Subject: [PATCH] * src/sfnt/ttbdf.c (tt_face_load_bdf_props): Fix size test.

This prevents a potential overflow on 32bit systems.

Problem reported by Zhao Zijie <zijie4@illinois.edu>.
---
 src/sfnt/ttbdf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/sfnt/ttbdf.c b/src/sfnt/ttbdf.c
index bd2a94b9d..4aa182703 100644
--- a/src/sfnt/ttbdf.c
+++ b/src/sfnt/ttbdf.c
@@ -97,7 +97,7 @@
       if ( version != 0x0001                 ||
            strings < 8                       ||
            ( strings - 8 ) / 4 < num_strikes ||
-           strings + 1 > length              )
+           strings >= length                 )
         goto BadTable;
 
       bdf->num_strikes  = num_strikes;