From 11d65e8a1f1f14e56148fd991965424d9bd1cdbc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Suzuki=2C=20Toshiya=20=28=E9=88=B4=E6=9C=A8=E4=BF=8A?=
 =?UTF-8?q?=E5=93=89=29?= <mpsuzuki@hiroshima-u.ac.jp>
Date: Wed, 4 Aug 2010 14:43:29 +0200
Subject: [PATCH] [cff] Improve stack overflow test.

* src/cff/cffgload.c (cff_decoder_parse_charstrings): Check stack
after execution of operations too.
---
 ChangeLog          | 7 +++++++
 src/cff/cffgload.c | 5 ++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 54c49b0e7..07cb466d1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2010-08-04  Suzuki, Toshiya (鈴木俊哉) <mpsuzuki@hiroshima-u.ac.jp>
+
+	[cff] Improve stack overflow test.
+
+	* src/cff/cffgload.c (cff_decoder_parse_charstrings): Check stack
+	after execution of operations too.
+
 2010-07-18  Werner Lemberg  <wl@gnu.org>
 
 	Add reference counters and to FT_Library and FT_Face objects.
diff --git a/src/cff/cffgload.c b/src/cff/cffgload.c
index 347041cfe..887c87978 100644
--- a/src/cff/cffgload.c
+++ b/src/cff/cffgload.c
@@ -2455,7 +2455,10 @@
           return CFF_Err_Unimplemented_Feature;
         }
 
-      decoder->top = args;
+        decoder->top = args;
+
+        if ( decoder->top - stack >= CFF_MAX_OPERANDS )
+          goto Stack_Overflow;
 
       } /* general operator processing */