[cff] Better check of number of blends.

* src/cff/cf2intrp.c (cf2_interpT2CharString) <cf2_cmdBLEND>,
src/cff/cffparse.c (cff_parse_blend): Compare number of blends with
stack size.

2 files changed, 11 insertions, 4 deletions

diff --git a/src/cff/cf2intrp.c b/src/cff/cf2intrp.c
index 078f6feb4..ef52999c6 100644
--- a/src/cff/cf2intrp.c
+++ b/src/cff/cf2intrp.c
@@ -693,12 +693,13 @@
           }
 
           /* do the blend */
+          numBlends = (FT_UInt)cf2_stack_popInt( opStack );
+          if ( numBlends > stackSize )
           {
-            FT_Int  temp = cf2_stack_popInt( opStack );
-
-
-            numBlends = temp > 0 ? (FT_UInt)temp : 0;
+            lastError = FT_THROW( Invalid_Glyph_Format );
+            goto exit;
           }
+
           cf2_doBlend( &font->blend, opStack, numBlends );
 
           font->blend.usedBV = TRUE;
diff --git a/src/cff/cffparse.c b/src/cff/cffparse.c
index a848631ba..ee538c360 100644
--- a/src/cff/cffparse.c
+++ b/src/cff/cffparse.c
@@ -907,6 +907,12 @@
     }
 
     numBlends = (FT_UInt)cff_parse_num( parser, parser->top - 1 );
+    if ( numBlends > parser->stackSize )
+    {
+      FT_ERROR(( "cff_parse_blend: Invalid number of blends\n" ));
+      error = FT_THROW( Invalid_File_Format );
+      goto Exit;
+    }
 
     FT_TRACE4(( "   %d values blended\n", numBlends ));