[psaux] Fix numeric overflow.

Triggered by

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11157

* src/psaux/cffdecode.c (cff_decoder_parse_charstrings) <cff_op_blend>
[CFF_CONFIG_OPTION_OLD_ENGINE]: Fix integer overflow.

2 files changed, 13 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index d96be8497..5bb6ba705 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2018-10-27  Werner Lemberg  <wl@gnu.org>
+
+	[psaux] Fix numeric overflow.
+
+	Triggered by
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11157
+
+	* src/psaux/cffdecode.c (cff_decoder_parse_charstrings) <cff_op_blend>
+	[CFF_CONFIG_OPTION_OLD_ENGINE]: Fix integer overflow.
+
 2018-10-20  Werner Lemberg  <wl@gnu.org>
 
 	Avoid endless loop while tracing (#54858).
diff --git a/src/psaux/cffdecode.c b/src/psaux/cffdecode.c
index 58a516fb2..ac1bc1fe2 100644
--- a/src/psaux/cffdecode.c
+++ b/src/psaux/cffdecode.c
@@ -1950,7 +1950,8 @@
             if ( num_results < 0 )
               goto Syntax_Error;
 
-            if ( num_results * (FT_Int)num_designs > num_args )
+            if ( num_results > num_args                       ||
+                 num_results * (FT_Int)num_designs > num_args )
               goto Stack_Underflow;
 
             /* since we currently don't handle interpolation of multiple */