From 13735570f051c4131cdc481939799d76c38c758b Mon Sep 17 00:00:00 2001
From: Michiharu Ariza <ariza@adobe.com>
Date: Thu, 15 Nov 2018 12:10:23 -0800
Subject: [PATCH] reject nested seac

---
 src/hb-cff1-interp-cs.hh |  4 ++++
 src/hb-ot-cff1-table.cc  | 11 ++++++-----
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/hb-cff1-interp-cs.hh b/src/hb-cff1-interp-cs.hh
index a74547980..29659a33f 100644
--- a/src/hb-cff1-interp-cs.hh
+++ b/src/hb-cff1-interp-cs.hh
@@ -44,6 +44,7 @@ struct CFF1CSInterpEnv : CSInterpEnv<Number, CFF1Subrs>
     processed_width = false;
     has_width = false;
     arg_start = 0;
+    in_seac = false;
   }
 
   inline void fini (void)
@@ -71,10 +72,13 @@ struct CFF1CSInterpEnv : CSInterpEnv<Number, CFF1Subrs>
     SUPER::clear_args ();
   }
 
+  inline void set_in_seac (bool _in_seac) { in_seac = _in_seac; }
+
   bool          processed_width;
   bool          has_width;
   unsigned int  arg_start;
   Number        width;
+  bool          in_seac;
 
   private:
   typedef CSInterpEnv<Number, CFF1Subrs> SUPER;
diff --git a/src/hb-ot-cff1-table.cc b/src/hb-ot-cff1-table.cc
index 50f54c01c..92c625882 100644
--- a/src/hb-ot-cff1-table.cc
+++ b/src/hb-ot-cff1-table.cc
@@ -261,7 +261,7 @@ struct CFF1PathProcs_Extents : PathProcs<CFF1PathProcs_Extents, CFF1CSInterpEnv,
   }
 };
 
-static bool _get_bounds (const OT::cff1::accelerator_t *cff, hb_codepoint_t glyph, Bounds &bounds);
+static bool _get_bounds (const OT::cff1::accelerator_t *cff, hb_codepoint_t glyph, Bounds &bounds, bool in_seac=false);
 
 struct CFF1CSOpSet_Extents : CFF1CSOpSet<CFF1CSOpSet_Extents, ExtentsParam, CFF1PathProcs_Extents>
 {
@@ -275,9 +275,9 @@ struct CFF1CSOpSet_Extents : CFF1CSOpSet<CFF1CSOpSet_Extents, ExtentsParam, CFF1
     hb_codepoint_t accent = param.cff->std_code_to_glyph (env.argStack[n-1].to_int ());
 
     Bounds  base_bounds, accent_bounds;
-    if (likely (base && accent
-               && _get_bounds (param.cff, base, base_bounds)
-               && _get_bounds (param.cff, accent, accent_bounds)))
+    if (likely (!env.in_seac && base && accent
+               && _get_bounds (param.cff, base, base_bounds, true)
+               && _get_bounds (param.cff, accent, accent_bounds, true)))
     {
       param.bounds.merge (base_bounds);
       accent_bounds.offset (delta);
@@ -288,7 +288,7 @@ struct CFF1CSOpSet_Extents : CFF1CSOpSet<CFF1CSOpSet_Extents, ExtentsParam, CFF1
   }
 };
 
-bool _get_bounds (const OT::cff1::accelerator_t *cff, hb_codepoint_t glyph, Bounds &bounds)
+bool _get_bounds (const OT::cff1::accelerator_t *cff, hb_codepoint_t glyph, Bounds &bounds, bool in_seac)
 {
   bounds.init ();
   if (unlikely (!cff->is_valid () || (glyph >= cff->num_glyphs))) return false;
@@ -297,6 +297,7 @@ bool _get_bounds (const OT::cff1::accelerator_t *cff, hb_codepoint_t glyph, Boun
   CFF1CSInterpreter<CFF1CSOpSet_Extents, ExtentsParam> interp;
   const ByteStr str = (*cff->charStrings)[glyph];
   interp.env.init (str, *cff, fd);
+  interp.env.set_in_seac (in_seac);
   ExtentsParam  param;
   param.init (cff);
   if (unlikely (!interp.interpret (param))) return false;