From 5b453f77f804cd8421a45d8276ed3e04041da23c Mon Sep 17 00:00:00 2001
From: Michiharu Ariza <ariza@adobe.com>
Date: Tue, 11 Sep 2018 16:20:39 -0700
Subject: [PATCH] fixed off-by-one error with offSize

---
 src/hb-ot-cff-common.hh | 5 +++--
 src/hb-subset-cff1.cc   | 4 ++--
 src/hb-subset-cff2.cc   | 2 +-
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/hb-ot-cff-common.hh b/src/hb-ot-cff-common.hh
index 8b6b6b2..28728a9 100644
--- a/src/hb-ot-cff-common.hh
+++ b/src/hb-ot-cff-common.hh
@@ -42,9 +42,10 @@ template<typename Type>
 static inline const Type& StructAtOffsetOrNull(const void *P, unsigned int offset)
 { return offset? (* reinterpret_cast<const Type*> ((const char *) P + offset)): Null(Type); }
 
-inline unsigned int calcOffSize(unsigned int offset)
+inline unsigned int calcOffSize(unsigned int dataSize)
 {
   unsigned int size = 1;
+  unsigned int offset = dataSize + 1;
   while ((offset & ~0xFF) != 0)
   {
     size++;
@@ -493,7 +494,7 @@ struct FDArray : CFFIndexOf<COUNT, FontDict>
       if (!fdmap.excludes (i))
         dictsSize += FontDict::calculate_serialized_size (fontDicts[i], opszr);
 
-    offSize_ = calcOffSize (dictsSize + 1);
+    offSize_ = calcOffSize (dictsSize);
     return CFFIndex<COUNT>::calculate_serialized_size (offSize_, fdCount, dictsSize);
   }
 };
diff --git a/src/hb-subset-cff1.cc b/src/hb-subset-cff1.cc
index 7f1d9dc..5285a9e 100644
--- a/src/hb-subset-cff1.cc
+++ b/src/hb-subset-cff1.cc
@@ -635,7 +635,7 @@ struct cff_subset_plan {
         if (!fdmap.excludes (i))
           dictsSize += FontDict::calculate_serialized_size (acc.fontDicts[i], fontSzr);
 
-      offsets.FDArrayInfo.offSize = calcOffSize (dictsSize + 1);
+      offsets.FDArrayInfo.offSize = calcOffSize (dictsSize);
       final_size += CFF1Index::calculate_serialized_size (offsets.FDArrayInfo.offSize, subset_fdcount, dictsSize);
     }
 
@@ -650,7 +650,7 @@ struct cff_subset_plan {
         subset_charstrings.push (str);
         dataSize += flatstr.len;
       }
-      offsets.charStringsInfo.offSize = calcOffSize (dataSize + 1);
+      offsets.charStringsInfo.offSize = calcOffSize (dataSize);
       final_size += CFF1CharStrings::calculate_serialized_size (offsets.charStringsInfo.offSize, plan->glyphs.len, dataSize);
     }
 
diff --git a/src/hb-subset-cff2.cc b/src/hb-subset-cff2.cc
index 193b433..15d2c57 100644
--- a/src/hb-subset-cff2.cc
+++ b/src/hb-subset-cff2.cc
@@ -269,7 +269,7 @@ struct cff2_subset_plan {
         subset_charstrings.push (str);
         dataSize += flatstr.len;
       }
-      offsets.charStringsInfo.offSize = calcOffSize (dataSize + 1);
+      offsets.charStringsInfo.offSize = calcOffSize (dataSize);
       final_size += CFF2CharStrings::calculate_serialized_size (offsets.charStringsInfo.offSize, plan->glyphs.len, dataSize);
     }
 
-- 
2.7.4