From 09ab885d80c5fa97c2c5a14141afbfaffbbb0db3 Mon Sep 17 00:00:00 2001
From: Jonathan Kew <jkew@mozilla.com>
Date: Wed, 22 Apr 2026 13:00:22 -0700
Subject: [PATCH 25/29] Range-check FDSelect value during CFF subsetting

---
 src/cairo-cff-subset.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c
index 5a54c091a..a725c726d 100644
--- a/src/cairo-cff-subset.c
+++ b/src/cairo-cff-subset.c
@@ -1876,6 +1876,10 @@ cairo_cff_font_subset_fontdict (cairo_cff_font_t  *font)
 	}
 
         fd = font->fdselect[gid];
+        if (fd < 0 || (unsigned int) fd >= font->num_fontdicts) {
+            free (reverse_map);
+            return CAIRO_INT_STATUS_UNSUPPORTED;
+        }
         if (reverse_map[fd] < 0) {
             font->fd_subset_map[font->num_subset_fontdicts] = fd;
             reverse_map[fd] = font->num_subset_fontdicts++;
-- 
2.53.0