From 7b21319edfd6531a444846f71e87303bc09f4621 Mon Sep 17 00:00:00 2001
From: Michiharu Ariza <ariza@adobe.com>
Date: Tue, 6 Nov 2018 13:59:07 -0800
Subject: [PATCH 1/3] don't reject empty Dict

---
 src/hb-cff-interp-dict-common.hh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/hb-cff-interp-dict-common.hh b/src/hb-cff-interp-dict-common.hh
index 88fd34560..60f4726f0 100644
--- a/src/hb-cff-interp-dict-common.hh
+++ b/src/hb-cff-interp-dict-common.hh
@@ -262,12 +262,12 @@ struct DictInterpreter : Interpreter<ENV>
   inline bool interpret (PARAM& param)
   {
     param.init ();
-    do
+     while (SUPER::env.substr.avail ())
     {
       OPSET::process_op (SUPER::env.fetch_op (), SUPER::env, param);
       if (unlikely (SUPER::env.in_error ()))
         return false;
-    } while (SUPER::env.substr.avail ());
+    }
     
     return true;
   }

From 7fed7d80f72b35900b41878ae59e38fd1cb49dc8 Mon Sep 17 00:00:00 2001
From: Michiharu Ariza <ariza@adobe.com>
Date: Wed, 7 Nov 2018 09:09:13 -0800
Subject: [PATCH 2/3] fixed off-by-one error in CFF1 Encoding lookup

---
 src/hb-ot-cff1-table.hh | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/hb-ot-cff1-table.hh b/src/hb-ot-cff1-table.hh
index bc67e49b5..820404ed6 100644
--- a/src/hb-ot-cff1-table.hh
+++ b/src/hb-ot-cff1-table.hh
@@ -64,6 +64,8 @@ struct Encoding0 {
 
   inline hb_codepoint_t get_code (hb_codepoint_t glyph) const
   {
+    assert (glyph > 0);
+    glyph--;
     if (glyph < nCodes)
     {
       return (hb_codepoint_t)codes[glyph];
@@ -106,6 +108,8 @@ struct Encoding1 {
 
   inline hb_codepoint_t get_code (hb_codepoint_t glyph) const
   {
+    assert (glyph > 0);
+    glyph--;
     for (unsigned int i = 0; i < nRanges; i++)
     {
       if (glyph <= ranges[i].nLeft)

From ae8fd0dbfb57afadfe815c5bde4ad4a6485fd950 Mon Sep 17 00:00:00 2001
From: Michiharu Ariza <ariza@adobe.com>
Date: Wed, 7 Nov 2018 09:16:12 -0800
Subject: [PATCH 3/3] clear stack after vsindex op

---
 src/hb-cff2-interp-cs.hh | 1 +
 src/hb-ot-cff2-table.hh  | 1 +
 2 files changed, 2 insertions(+)

diff --git a/src/hb-cff2-interp-cs.hh b/src/hb-cff2-interp-cs.hh
index 592a1b23e..03dea4934 100644
--- a/src/hb-cff2-interp-cs.hh
+++ b/src/hb-cff2-interp-cs.hh
@@ -243,6 +243,7 @@ struct CFF2CSOpSet : CSOpSet<BlendArg, OPSET, CFF2CSInterpEnv, PARAM, PATH>
   static inline void process_vsindex (CFF2CSInterpEnv &env, PARAM& param)
   {
     env.process_vsindex ();
+    env.clear_args ();
   }
 
   private:
diff --git a/src/hb-ot-cff2-table.hh b/src/hb-ot-cff2-table.hh
index 04d9e2b38..1b01c1cfe 100644
--- a/src/hb-ot-cff2-table.hh
+++ b/src/hb-ot-cff2-table.hh
@@ -347,6 +347,7 @@ struct CFF2PrivateDictOpSet : DictOpSet
       case OpCode_vsindexdict:
         env.process_vsindex ();
         dictval.ivs = env.get_ivs ();
+        env.clear_args ();
         break;
       case OpCode_blenddict:
         break;