(CFF) Fixed panic and stack overflow during seac resolving.

Closes #80

CHANGELOG.md

@@ -5,6 +5,9 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased]
+### Fixed
+- (CFF) Panic during `seac` resolving.
+- (CFF) Stack overflow during `seac` resolving.
 
 ## [0.13.3] - 2021-11-19
 ### Fixed

src/tables/cff/cff1.rs

@@ -451,13 +451,17 @@ fn _parse_char_string(
                     let dy = p.stack.pop();
                     let dx = p.stack.pop();
 
-                    if !ctx.width_parsed {
+                    if !ctx.width_parsed && !p.stack.is_empty() {
                         p.stack.pop();
                         ctx.width_parsed = true;
                     }
 
                     ctx.has_seac = true;
 
+                    if depth == STACK_LIMIT {
+                        return Err(CFFError::NestingLimitReached);
+                    }
+
                     let base_char_string = ctx.metadata.char_strings.get(u32::from(base_char.0))
                         .ok_or(CFFError::InvalidSeacCode)?;
                     _parse_char_string(ctx, base_char_string, depth + 1, p)?;

tests/tables/cff1.rs

@@ -742,6 +742,14 @@ test_cs_err!(multiple_endchar, &[
     UInt8(operator::ENDCHAR),
 ], CFFError::DataAfterEndChar);
 
+test_cs_err!(seac_with_not_enough_data, &[
+    CFFInt(0),
+    CFFInt(0),
+    CFFInt(0),
+    CFFInt(0),
+    UInt8(operator::ENDCHAR),
+], CFFError::NestingLimitReached);
+
 test_cs_err!(operands_overflow, &[
     CFFInt(0), CFFInt(1), CFFInt(2), CFFInt(3), CFFInt(4), CFFInt(5), CFFInt(6), CFFInt(7), CFFInt(8), CFFInt(9),
     CFFInt(0), CFFInt(1), CFFInt(2), CFFInt(3), CFFInt(4), CFFInt(5), CFFInt(6), CFFInt(7), CFFInt(8), CFFInt(9),