From bb3017d3dd80db90edc7fbebc42944893e5f6e53 Mon Sep 17 00:00:00 2001
From: Jonathan Kew <jkew@mozilla.com>
Date: Sat, 25 Apr 2026 13:28:12 +0000
Subject: [PATCH 28/29] Bug 2029463 - Range-check string id during subsetting.
 r=gfx-reviewers,lsalzman

Differential Revision: https://phabricator.services.mozilla.com/D296352
---
 src/cairo-cff-subset.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c
index ffa2eb6ad..6c01ed4ef 100644
--- a/src/cairo-cff-subset.c
+++ b/src/cairo-cff-subset.c
@@ -1423,7 +1423,11 @@ cairo_cff_font_subset_dict_string(cairo_cff_font_t   *font,
     if (sid < NUM_STD_STRINGS)
         return CAIRO_STATUS_SUCCESS;
 
-    element = _cairo_array_index (&font->strings_index, sid - NUM_STD_STRINGS);
+    sid -= NUM_STD_STRINGS;
+    if (sid >= (int)_cairo_array_num_elements (&font->strings_index))
+        return CAIRO_INT_STATUS_UNSUPPORTED;
+
+    element = _cairo_array_index (&font->strings_index, sid);
     sid = NUM_STD_STRINGS + _cairo_array_num_elements (&font->strings_subset_index);
     status = cff_index_append (&font->strings_subset_index, element->data, element->length);
     if (unlikely (status))
-- 
2.53.0