From c4cd34a9e0f95704c256c1f9ab558bedf4a8129b Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Wed, 28 Dec 2016 08:33:35 +0100
Subject: [PATCH] [cff] Better check of number of blends.

* src/cff/cf2intrp.c (cf2_interpT2CharString) <cf2_cmdBLEND>,
src/cff/cffparse.c (cff_parse_blend): Compare number of blends with
stack size.
---
 ChangeLog          | 8 ++++++++
 src/cff/cf2intrp.c | 9 +++++----
 src/cff/cffparse.c | 6 ++++++
 3 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 133ce2142..627b9383f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2016-12-28  Werner Lemberg  <wl@gnu.org>
+
+	[cff] Better check of number of blends.
+
+	* src/cff/cf2intrp.c (cf2_interpT2CharString) <cf2_cmdBLEND>,
+	src/cff/cffparse.c (cff_parse_blend): Compare number of blends with
+	stack size.
+
 2016-12-27  Werner Lemberg  <wl@gnu.org>
 
 	Documentation updates.
diff --git a/src/cff/cf2intrp.c b/src/cff/cf2intrp.c
index 078f6feb4..ef52999c6 100644
--- a/src/cff/cf2intrp.c
+++ b/src/cff/cf2intrp.c
@@ -693,12 +693,13 @@
           }
 
           /* do the blend */
+          numBlends = (FT_UInt)cf2_stack_popInt( opStack );
+          if ( numBlends > stackSize )
           {
-            FT_Int  temp = cf2_stack_popInt( opStack );
-
-
-            numBlends = temp > 0 ? (FT_UInt)temp : 0;
+            lastError = FT_THROW( Invalid_Glyph_Format );
+            goto exit;
           }
+
           cf2_doBlend( &font->blend, opStack, numBlends );
 
           font->blend.usedBV = TRUE;
diff --git a/src/cff/cffparse.c b/src/cff/cffparse.c
index a848631ba..ee538c360 100644
--- a/src/cff/cffparse.c
+++ b/src/cff/cffparse.c
@@ -907,6 +907,12 @@
     }
 
     numBlends = (FT_UInt)cff_parse_num( parser, parser->top - 1 );
+    if ( numBlends > parser->stackSize )
+    {
+      FT_ERROR(( "cff_parse_blend: Invalid number of blends\n" ));
+      error = FT_THROW( Invalid_File_Format );
+      goto Exit;
+    }
 
     FT_TRACE4(( "   %d values blended\n", numBlends ));