From ca54eba4846d0afda4601929556617a7ebe51714 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Wed, 10 Oct 2018 20:41:16 -0400
Subject: [PATCH] [kerx] Fix bound-checking error introduced a couple commits
 past

---
 src/hb-aat-layout-kerx-table.hh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/hb-aat-layout-kerx-table.hh b/src/hb-aat-layout-kerx-table.hh
index 4118d8ee1..0d3b330a3 100644
--- a/src/hb-aat-layout-kerx-table.hh
+++ b/src/hb-aat-layout-kerx-table.hh
@@ -180,7 +180,7 @@ struct KerxSubTableFormat2
     unsigned int offset = l + r;
     const FWORD *v = &StructAtOffset<FWORD> (&(this+array), offset);
     if (unlikely ((const char *) v < (const char *) &array ||
-		  (const char *) v + v->static_size - (const char *) this <= header.length))
+		  (const char *) v + v->static_size - (const char *) this > header.length))
       return 0;
     return *v;
   }
@@ -284,7 +284,7 @@ struct KerxSubTableFormat6
       unsigned int offset = l + r;
       const FWORD32 *v = &StructAtOffset<FWORD32> (&(this+t.array), offset * sizeof (FWORD32));
       if (unlikely ((const char *) v < (const char *) &t.array ||
-		    (const char *) v + v->static_size - (const char *) this <= header.length))
+		    (const char *) v + v->static_size - (const char *) this > header.length))
 	return 0;
       return *v;
     }
@@ -296,7 +296,7 @@ struct KerxSubTableFormat6
       unsigned int offset = l + r;
       const FWORD *v = &StructAtOffset<FWORD> (&(this+t.array), offset * sizeof (FWORD));
       if (unlikely ((const char *) v < (const char *) &t.array ||
-		    (const char *) v + v->static_size - (const char *) this <= header.length))
+		    (const char *) v + v->static_size - (const char *) this > header.length))
 	return 0;
       return *v;
     }