From 339e7180364a43dabe59ddf46ff10a5215f41007 Mon Sep 17 00:00:00 2001
From: Jonathan Kew <jfkthame@gmail.com>
Date: Mon, 18 Mar 2024 12:07:46 +0000
Subject: [PATCH] [gdef] absolute_offset could overflow a 16-bit variable

---
 src/gdef.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/gdef.cc b/src/gdef.cc
index 0e01a938..7e0b7cc3 100644
--- a/src/gdef.cc
+++ b/src/gdef.cc
@@ -176,8 +176,8 @@ bool OpenTypeGDEF::ParseLigCaretListTable(const uint8_t *data, size_t length) {
           return Error("Can't read device offset for caret value %d "
                        "in glyph %d", j, i);
         }
-        uint16_t absolute_offset = lig_glyphs[i] + caret_value_offsets[j]
-                                   + offset_device;
+        size_t absolute_offset = lig_glyphs[i] + caret_value_offsets[j]
+                                 + offset_device;
         if (offset_device == 0 || absolute_offset >= length) {
           return Error("Bad device offset for caret value %d in glyph %d: %d",
                        j, i, offset_device);