From 46d1c26c91027c0cb6c2e63722aae2440fcc9592 Mon Sep 17 00:00:00 2001
From: metsw24-max <metsw24@gmail.com>
Date: Mon, 1 Jun 2026 19:43:13 +0530
Subject: [PATCH] fix integer wraparound in StorePoints bounds check on 32-bit

---
 src/glyph.cc | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/glyph.cc b/src/glyph.cc
index 5b49486..ac9e2c7 100644
--- a/src/glyph.cc
+++ b/src/glyph.cc
@@ -305,7 +305,10 @@ bool StorePoints(const Glyph& glyph, size_t* offset,
     dst[(*offset)++] = repeat_count;
   }
 
-  if (*offset + x_bytes + y_bytes > dst_size) {
+  size_t xy_bytes = x_bytes + y_bytes;
+  if (xy_bytes < x_bytes ||
+      dst_size < xy_bytes ||
+      *offset > dst_size - xy_bytes) {
     return FONT_COMPRESSION_FAILURE();
   }