From df2fb115bf874a242a9fd49aa99c3c2fd41d151c Mon Sep 17 00:00:00 2001
From: Mateusz Jurczyk <mjurczyk@google.com>
Date: Thu, 7 May 2026 12:47:52 +0000
Subject: [PATCH] * src/psaux/psintrp.c (cf2_doBlend): Implement proper bounds
 check accounting for all operands.

Fixes #1429.
---
 src/psaux/psintrp.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/src/psaux/psintrp.c b/src/psaux/psintrp.c
index 7e3475e6f..1803f0068 100644
--- a/src/psaux/psintrp.c
+++ b/src/psaux/psintrp.c
@@ -415,7 +415,7 @@
   /* Blend numOperands on the stack,                */
   /* store results into the first numBlends values, */
   /* then pop remaining arguments.                  */
-  static void
+  static FT_Error
   cf2_doBlend( const CFF_Blend  blend,
                CF2_Stack        opStack,
                CF2_UInt         numBlends )
@@ -424,9 +424,13 @@
     CF2_UInt  base;
     CF2_UInt  i, j;
     CF2_UInt  numOperands = (CF2_UInt)( numBlends * blend->lenBV );
+    CF2_UInt  count       = cf2_stack_count( opStack );
 
 
-    base  = cf2_stack_count( opStack ) - numOperands;
+    if ( numOperands > count )
+      return FT_THROW( Stack_Underflow );
+
+    base  = count - numOperands;
     delta = base + numBlends;
 
     FT_TRACE6(( " (" ));
@@ -455,6 +459,8 @@
 
     /* leave only `numBlends' results on stack */
     cf2_stack_pop( opStack, numOperands - numBlends );
+
+    return FT_Err_Ok;
   }
 
 
@@ -769,13 +775,10 @@
 
           /* do the blend */
           numBlends = (FT_UInt)cf2_stack_popInt( opStack );
-          if ( numBlends > stackSize )
-          {
-            lastError = FT_THROW( Invalid_Glyph_Format );
-            goto exit;
-          }
 
-          cf2_doBlend( &font->blend, opStack, numBlends );
+          lastError = cf2_doBlend( &font->blend, opStack, numBlends );
+          if ( lastError )
+            goto exit;
 
           font->blend.usedBV = TRUE;
         }