check number of blends against args on stack

diff --git a/src/hb-cff2-interp-cs.hh b/src/hb-cff2-interp-cs.hh
index d258b81..18e8468 100644 (file)
--- a/src/hb-cff2-interp-cs.hh
+++ b/src/hb-cff2-interp-cs.hh
@@ -235,6 +235,11 @@ struct CFF2CSOpSet : CSOpSet<BlendArg, OPSET, CFF2CSInterpEnv, PARAM, PATH>
     env.process_blend ();
     k = env.get_region_count ();
     n = env.argStack.pop_uint ();
+    if (unlikely (env.argStack.get_count () < ((k+1) * n)))
+    {
+      env.set_error ();
+      return;
+    }
     /* copy the blend values into blend array of the default values */
     unsigned int start = env.argStack.get_count () - ((k+1) * n);
     for (unsigned int i = 0; i < n; i++)