From 44db1addd80981b1a9cbea6b8608c99592a065ea Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Tue, 14 Aug 2018 10:01:00 +0200
Subject: [PATCH] [cff] Fix another segv in old engine.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9872

* src/psaux/cffdecode.c (cff_decoder_parse_charstrings)
[CFF_CONFIG_OPTION_OLD_ENGINE]: Disallow invalid T1 opcodes in
dictionaries.
---
 ChangeLog             | 14 +++++++++++++-
 src/psaux/cffdecode.c |  9 +++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 2f373dd14..2ac650064 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2018-08-14  Werner Lemberg  <wl@gnu.org>
+
+	[cff] Fix another segv in old engine.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9872
+
+	* src/psaux/cffdecode.c (cff_decoder_parse_charstrings)
+	[CFF_CONFIG_OPTION_OLD_ENGINE]: Disallow invalid T1 opcodes in
+	dictionaries.
+
 2018-08-14  Werner Lemberg  <wl@gnu.org>
 
 	[cff] Fix missing error handling.
@@ -20,7 +32,7 @@
 
 2018-08-14  Werner Lemberg  <wl@gnu.org>
 
-	[cff] Fix segv.
+	[cff] Fix segv in old engine.
 
 	Reported as
 
diff --git a/src/psaux/cffdecode.c b/src/psaux/cffdecode.c
index 3f4ea15cb..2c2aa6a84 100644
--- a/src/psaux/cffdecode.c
+++ b/src/psaux/cffdecode.c
@@ -860,6 +860,15 @@
           case cff_op_flex1:
           case cff_op_callsubr:
           case cff_op_callgsubr:
+            /* depracated opcodes */
+          case cff_op_dotsection:
+            /* invalid Type 1 opcodes */
+          case cff_op_hsbw:
+          case cff_op_closepath:
+          case cff_op_callothersubr:
+          case cff_op_seac:
+          case cff_op_sbw:
+          case cff_op_setcurrentpoint:
             goto MM_Error;
 
           default: