From 0bf95b585e5a44e6999ebd54ad2b1913e5e885a8 Mon Sep 17 00:00:00 2001
From: Dave Arnold <darnold@adobe.com>
Date: Fri, 17 Mar 2017 07:22:55 +0100
Subject: [PATCH] [cff] Fix CFF2 stack allocation.

* src/cff/cffparse.c (cff_parser_init) add 1 for operator.
---
 ChangeLog         | 6 ++++++
 src/cff/cffload.c | 3 ++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 7dac7a2c1..86a581845 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2017-03-17  Dave Arnold <darnold@adobe.com>
+
+	[cff] Fix CFF2 stack allocation.
+
+	* src/cff/cffparse.c (cff_parser_init) add 1 for operator.
+
 2017-03-16  Werner Lemberg  <wl@gnu.org>
 
 	* src/truetype/ttgxvar.c (tt_done_blend): Free `vvar_table'.
diff --git a/src/cff/cffload.c b/src/cff/cffload.c
index d3a2af9ad..ed93fb571 100644
--- a/src/cff/cffload.c
+++ b/src/cff/cffload.c
@@ -1890,7 +1890,8 @@
     subfont->lenNDV = lenNDV;
     subfont->NDV    = NDV;
 
-    stackSize = font->cff2 ? font->top_font.font_dict.maxstack
+    /* add 1 for the operator */
+    stackSize = font->cff2 ? font->top_font.font_dict.maxstack + 1
                            : CFF_MAX_STACK_DEPTH + 1;
 
     if ( cff_parser_init( &parser,