[cff] Fix another segv in old engine.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9872

* src/psaux/cffdecode.c (cff_decoder_parse_charstrings)
[CFF_CONFIG_OPTION_OLD_ENGINE]: Disallow invalid T1 opcodes in
dictionaries.

2 files changed, 22 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index 2f373dd14..2ac650064 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,17 @@
 2018-08-14  Werner Lemberg  <wl@gnu.org>
 
+	[cff] Fix another segv in old engine.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9872
+
+	* src/psaux/cffdecode.c (cff_decoder_parse_charstrings)
+	[CFF_CONFIG_OPTION_OLD_ENGINE]: Disallow invalid T1 opcodes in
+	dictionaries.
+
+2018-08-14  Werner Lemberg  <wl@gnu.org>
+
 	[cff] Fix missing error handling.
 
 	Reported as
@@ -20,7 +32,7 @@
 
 2018-08-14  Werner Lemberg  <wl@gnu.org>
 
-	[cff] Fix segv.
+	[cff] Fix segv in old engine.
 
 	Reported as
 
diff --git a/src/psaux/cffdecode.c b/src/psaux/cffdecode.c
index 3f4ea15cb..2c2aa6a84 100644
--- a/src/psaux/cffdecode.c
+++ b/src/psaux/cffdecode.c
@@ -860,6 +860,15 @@
           case cff_op_flex1:
           case cff_op_callsubr:
           case cff_op_callgsubr:
+            /* depracated opcodes */
+          case cff_op_dotsection:
+            /* invalid Type 1 opcodes */
+          case cff_op_hsbw:
+          case cff_op_closepath:
+          case cff_op_callothersubr:
+          case cff_op_seac:
+          case cff_op_sbw:
+          case cff_op_setcurrentpoint:
             goto MM_Error;
 
           default: