From 6d62076ae5d000612202aeae99c71ce27fdb2fb1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominik=20R=C3=B6ttsches?= Date: Tue, 30 Aug 2022 15:00:37 +0300 Subject: [PATCH] [sfnt] Pointer sanity checks before reading layer info in 'COLR' v0 * src/sfnt/ttcolr.c (tt_face_get_colr_layer): Check that the pointer to read from is within the 'COLR' table. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50633 --- src/sfnt/ttcolr.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/sfnt/ttcolr.c b/src/sfnt/ttcolr.c index 1277bbd53..ad0f1278a 100644 --- a/src/sfnt/ttcolr.c +++ b/src/sfnt/ttcolr.c @@ -481,7 +481,9 @@ iterator->p = colr->layers + offset; } - if ( iterator->layer >= iterator->num_layers ) + if ( iterator->layer >= iterator->num_layers || + iterator->p < colr->layers || + iterator->p >= ( (FT_Byte*)colr->table + colr->table_size ) ) return 0; *aglyph_index = FT_NEXT_USHORT( iterator->p );