* src/psaux/psintrp.c (cf2_doBlend): Implement proper bounds check accounting for all operands.

Fixes #1429.
2026-05-15 12:48:06 +02:00 · 2026-05-07 12:47:52 +00:00 · 2026-05-07 12:47:52 +00:00 · df2fb115bf
commit df2fb115bf
parent 1f705ffb71
1 changed files with 11 additions and 8 deletions
--- a/src/psaux/psintrp.c
+++ b/src/psaux/psintrp.c
@ -415,7 +415,7 @@
  /* Blend numOperands on the stack,                */
  /* store results into the first numBlends values, */
  /* then pop remaining arguments.                  */
-  static void
+  static FT_Error
  cf2_doBlend( const CFF_Blend  blend,
               CF2_Stack        opStack,
               CF2_UInt         numBlends )
@ -424,9 +424,13 @@
    CF2_UInt  base;
    CF2_UInt  i, j;
    CF2_UInt  numOperands = (CF2_UInt)( numBlends * blend->lenBV );
+    CF2_UInt  count       = cf2_stack_count( opStack );


-    base  = cf2_stack_count( opStack ) - numOperands;
+    if ( numOperands > count )
+      return FT_THROW( Stack_Underflow );
+
+    base  = count - numOperands;
    delta = base + numBlends;

    FT_TRACE6(( " (" ));
@ -455,6 +459,8 @@

    /* leave only `numBlends' results on stack */
    cf2_stack_pop( opStack, numOperands - numBlends );
+
+    return FT_Err_Ok;
  }


@ -769,13 +775,10 @@

          /* do the blend */
          numBlends = (FT_UInt)cf2_stack_popInt( opStack );
-          if ( numBlends > stackSize )
-          {
-            lastError = FT_THROW( Invalid_Glyph_Format );
-            goto exit;
-          }

-          cf2_doBlend( &font->blend, opStack, numBlends );
+          lastError = cf2_doBlend( &font->blend, opStack, numBlends );
+          if ( lastError )
+            goto exit;

          font->blend.usedBV = TRUE;
        }