From 14d29a10437205566c4bd7bcfa2282d34d9f4f2f Mon Sep 17 00:00:00 2001
From: Michiharu Ariza <ariza@adobe.com>
Date: Wed, 5 Dec 2018 21:33:29 -0800
Subject: [PATCH 1/2] check number of blends against args on stack

---
 src/hb-cff2-interp-cs.hh | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/hb-cff2-interp-cs.hh b/src/hb-cff2-interp-cs.hh
index d258b8148..18e846803 100644
--- a/src/hb-cff2-interp-cs.hh
+++ b/src/hb-cff2-interp-cs.hh
@@ -235,6 +235,11 @@ struct CFF2CSOpSet : CSOpSet<BlendArg, OPSET, CFF2CSInterpEnv, PARAM, PATH>
     env.process_blend ();
     k = env.get_region_count ();
     n = env.argStack.pop_uint ();
+    if (unlikely (env.argStack.get_count () < ((k+1) * n)))
+    {
+      env.set_error ();
+      return;
+    }
     /* copy the blend values into blend array of the default values */
     unsigned int start = env.argStack.get_count () - ((k+1) * n);
     for (unsigned int i = 0; i < n; i++)

From ae087d10c22249f3aec3239e4eac98a728f71f75 Mon Sep 17 00:00:00 2001
From: Michiharu Ariza <ariza@adobe.com>
Date: Wed, 5 Dec 2018 21:47:34 -0800
Subject: [PATCH 2/2] add minimized test case for oss-fuzz issue 11714

---
 ...e-minimized-hb-subset-fuzzer-5710107829075968 | Bin 0 -> 3660 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5710107829075968

diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5710107829075968 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5710107829075968
new file mode 100644
index 0000000000000000000000000000000000000000..5fef2f84850835a7450d8e2f77c106cb31713837
GIT binary patch
literal 3660
zcmeHJYfMyE5T3is;)<(otq4sTa%-`!79pjT_#l-xQqffxwZv9k-b7)6T~xFdh&9CC
zB`YDgB|Z=-Aq^Te*0k0dV;d45KMb{vP1K}nTTN<%Hl+u0mG+x+rP4;5*x&5to-;G&
zoA1obnR|AfIXO-mPjzIbrKuSi@kgt_DJKd$N@On2OiRz8=V=Vl1eJ&)GnYDD&V6sT
zK%WEs!orow%ZsM(swA2i0zJX$ii=;J<K0c9Btc)7U*@hL8?g>PdZTEgyUO2R8U#KO
zdQM59yI`VY;(Ex}@FbML5Y}Kh2mEB{(IsWR&DJ|gDD(r+?Pc!G6%?`*qQd)!mb=Re
ze+xZ?c$FWCtZfw@ua7LW3h{q{^_iqFl<4M-SKnPbF|nV_<~y*^x1U};E9VpU>_Z7d
zUsx+Rd{n^16F%@Ue?Qa*&X0x?hZ3z7lF3*zMmQi2b~7t|bPl_c=|j`o&=(oAvWDW7
zC|Jjt%__ObLq+7HP2{F3DkPOk<z^c&=R+?iFUA7ct05Oau7d2N5{Y$D7G*<sQia5-
zlmWhStgEn(WQc)frS$f~&KQ+mqgeT<lmos}?4;5^_vL8V>ZXl&O0nvuJd7OYCg>ao
zukyahv`orAnuoarYd%CZkK*w4B9|)QD`4|tSB_x=W)G~zSa-rd8~Vsd9%u5T8gWzw
zVDW;Hne$K|AL8Ol8QHlxM>P_0xnRp8m-+(c6sbd_7&4<*6gv(IXTJh9P|+aCv>e}L
zS^_<b(xtBx7L`&F<q}GRl~-71UXEOq_*~43u)-Lwb|IoN&WTT~kTxTGK4CAu93xvx
zsSH-GIY-X<yC89OpZ$bY^pU|j?CS-0Au3;r748K-U9L(oYURdQB;#aE72@Dp4)+E}
z$VjdxN5`u^SbUhdy1ZTtX`}Qlhm~1Xs)4OqW>yUh=fT}=WMg#F(@!<_fA!2_M8!Q|
zyce@^5-B(-m(0`)Mx!IP$aN3w+%4S6#d0^!E*X#EUoJD`sNGMr7R%G&ZYz4kn}v?y
zb2ix0amEI}@%9<k93VKtg?RtCyPT+1A<aT>4Ws!@HL#DRr+Ga_aHsIO<e|nJa8gh4
zNcuM}<-hT$pTU<RYnV^#pT-O%_Y)(A@5et+Q2fZt@Nb##!)TgDuQ1d?*1_Gj=r5n!
z8z})%@)EVlaSBF-C<$NrxhuyI6O0#>Y?H(E^)H+Jb}f7$P1rD7v_XgEL7HyJ4;_|M
z-D1w=Mtk^uk+wj$HQFr~`#trT0-ELgOO-8<`t-D9!7KU?VjWY6dE(~F+u-B6y(a+s
zERlFckAxt;(%)jhEIsjxV8e<yt+Bykw=}fsY5M1_$Kj(59Ma$M0~@O!Ouf&nvHJeY
zzq0oql^m!ZBlh>sU_C}0OrHipdvHjwON&gTTSUts)B!bXK32P~c3kSXUR$%hrG9IZ
z-HNz7=5}Ou&ELLvdtL25SVYtVb<tHI4+{r->UD#TW1ON#UuftL9mhD)`=ahRHVzjj
zKW4ku^*c7zPgY6AGZjjo2XeT`?q!phS?|B+n-ag~y{exyF{#;aw`#YSoqfG^NAr%(
zz%FP3%cUB>z3s@^2GDE0+ZZ8e?ioF@%~R75uxnO5X|ZH~=x70b_kc;LpKy`Hemy!4
zC76^ccbc4v=~A(~4Ky=)m}c&>Ts`_kcgHQsVmmKc^q;@;v-1T#32Z`5m(Ej@F<oDs
z3u0~h8Ftn~X6Ncr7teO~N^jLj=US)VUK@U6C(u1dPWS9>*wqxUTQ{|(-$HG2U8_9l
z?VZ8Kwp|>y<04RT!hXaBQn4ISBD3YUZ9>GPR^~2X+Ve<VJMB5*u4!&)1yNgjFB6p>
zUv_LkZBuPyy(CHu0HvGs$oyt7=>_#Nz5-#=Ula-34tEBa3N5WDiskNL`=r|7Kvl3U
zcq-TvY!03dYFfLdX|>u`tpQJKM5z9L@TArlF$TCTz<m}x6Kuk0)ysloqYmV)wT;zm
z<GT9&5n<gz^+$~B3ij`8jIi0d_XxEX!g%8?;?ekrqgeP~6MqzrqX2Ulo(eqpkD^Qf
iZp5$R=)HpDv}mLEio9n=?-jl#NAHzqxK|$iyZ#HV>p1iP

literal 0
HcmV?d00001