Merge pull request #1458 from harfbuzz/cff-check-blends [CFF] oss-fuzz issue 11714: set_blends

commit: 6ad3fcddaf2ba8ebc9ad49ff9e7b33b60fcad16a [log] [tgz]
author: Ebrahim Byagowi <ebrahim@gnu.org> Thu Dec 06 10:21:00 2018 +0330
committer: GitHub <noreply@github.com> Thu Dec 06 10:21:00 2018 +0330
tree: 5009305fe7656815bfbeb92177168a0b450b6424
parent: f95324a3351c1f699214ad84d073268218ea83a3 [diff]
parent: ae087d10c22249f3aec3239e4eac98a728f71f75 [diff]
diff --git a/src/hb-cff2-interp-cs.hh b/src/hb-cff2-interp-cs.hh
index d258b81..18e8468 100644
--- a/src/hb-cff2-interp-cs.hh
+++ b/src/hb-cff2-interp-cs.hh

@@ -235,6 +235,11 @@
     env.process_blend ();
     k = env.get_region_count ();
     n = env.argStack.pop_uint ();
+    if (unlikely (env.argStack.get_count () < ((k+1) * n)))
+    {
+      env.set_error ();
+      return;
+    }
     /* copy the blend values into blend array of the default values */
     unsigned int start = env.argStack.get_count () - ((k+1) * n);
     for (unsigned int i = 0; i < n; i++)

diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5710107829075968 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5710107829075968
new file mode 100644
index 0000000..5fef2f8
--- /dev/null
+++ b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5710107829075968
Binary files differ
commit	6ad3fcddaf2ba8ebc9ad49ff9e7b33b60fcad16a	[log] [tgz]
author	Ebrahim Byagowi <ebrahim@gnu.org>	Thu Dec 06 10:21:00 2018 +0330
committer	GitHub <noreply@github.com>	Thu Dec 06 10:21:00 2018 +0330
tree	5009305fe7656815bfbeb92177168a0b450b6424
parent	f95324a3351c1f699214ad84d073268218ea83a3 [diff]
parent	ae087d10c22249f3aec3239e4eac98a728f71f75 [diff]