From 6905d36d73f7b33243aaa8507ded49272462d3f8 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Mon, 21 Nov 2022 10:51:33 -0700
Subject: [PATCH] [cff] Fix fetch_op() bounds-checking

---
 src/hb-cff-interp-common.hh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/hb-cff-interp-common.hh b/src/hb-cff-interp-common.hh
index 2c299c5c8..8ac0c4739 100644
--- a/src/hb-cff-interp-common.hh
+++ b/src/hb-cff-interp-common.hh
@@ -564,13 +564,13 @@ struct interp_env_t
     if (unlikely (!str_ref.avail ()))
       return OpCode_Invalid;
     op = (op_code_t)(unsigned char)str_ref[0];
+    str_ref.inc ();
     if (op == OpCode_escape) {
       if (unlikely (!str_ref.avail ()))
 	return OpCode_Invalid;
-      op = Make_OpCode_ESC(str_ref[1]);
+      op = Make_OpCode_ESC(str_ref[0]);
       str_ref.inc ();
     }
-    str_ref.inc ();
     return op;
   }