From 0eae6eb0645264c98812f0095e0f5df4541830e6 Mon Sep 17 00:00:00 2001
From: Dave Arnold <darnold@adobe.com>
Date: Fri, 28 Feb 2014 07:40:01 +0100
Subject: [PATCH] Fix Savannah bug #41697, part 1.

* src/cff/cf2hints.c (cf2_hintmap_build): Return when `hintMask' is
invalid.  In this case, it is not safe to use the length of
`hStemHintArray'; the exception has already been recorded in
`hintMask'.
---
 ChangeLog          | 9 +++++++++
 src/cff/cf2hints.c | 2 ++
 2 files changed, 11 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 2010fdadf..1f48e2493 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2014-02-28  Dave Arnold  <darnold@adobe.com>
+
+	[cff] Fix Savannah bug #41697, part 1.
+
+	* src/cff/cf2hints.c (cf2_hintmap_build): Return when `hintMask' is
+	invalid.  In this case, it is not safe to use the length of
+	`hStemHintArray'; the exception has already been recorded in
+	`hintMask'.
+
 2014-02-26  Werner Lemberg  <wl@gnu.org>
 
 	[sfnt] Fix Savannah bug #41696.
diff --git a/src/cff/cf2hints.c b/src/cff/cf2hints.c
index 5f4416168..79f84fcef 100644
--- a/src/cff/cf2hints.c
+++ b/src/cff/cf2hints.c
@@ -781,6 +781,8 @@
       cf2_hintmask_setAll( hintMask,
                            cf2_arrstack_size( hStemHintArray ) +
                              cf2_arrstack_size( vStemHintArray ) );
+      if ( !cf2_hintmask_isValid( hintMask ) )
+          return;                   /* too many stem hints */
     }
 
     /* begin by clearing the map */