diff --git a/src/hb-cff2-interp-cs.hh b/src/hb-cff2-interp-cs.hh index d258b8148..18e846803 100644 --- a/src/hb-cff2-interp-cs.hh +++ b/src/hb-cff2-interp-cs.hh @@ -235,6 +235,11 @@ struct CFF2CSOpSet : CSOpSet env.process_blend (); k = env.get_region_count (); n = env.argStack.pop_uint (); + if (unlikely (env.argStack.get_count () < ((k+1) * n))) + { + env.set_error (); + return; + } /* copy the blend values into blend array of the default values */ unsigned int start = env.argStack.get_count () - ((k+1) * n); for (unsigned int i = 0; i < n; i++) diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5710107829075968 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5710107829075968 new file mode 100644 index 000000000..5fef2f848 Binary files /dev/null and b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5710107829075968 differ