From 6d62076ae5d000612202aeae99c71ce27fdb2fb1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dominik=20R=C3=B6ttsches?= <drott@chromium.org>
Date: Tue, 30 Aug 2022 15:00:37 +0300
Subject: [PATCH] [sfnt] Pointer sanity checks before reading layer info in
 'COLR' v0

* src/sfnt/ttcolr.c (tt_face_get_colr_layer): Check that the pointer to
read from is within the 'COLR' table.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50633
---
 src/sfnt/ttcolr.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/sfnt/ttcolr.c b/src/sfnt/ttcolr.c
index 1277bbd53..ad0f1278a 100644
--- a/src/sfnt/ttcolr.c
+++ b/src/sfnt/ttcolr.c
@@ -481,7 +481,9 @@
       iterator->p = colr->layers + offset;
     }
 
-    if ( iterator->layer >= iterator->num_layers )
+    if ( iterator->layer >= iterator->num_layers                     ||
+         iterator->p < colr->layers                                  ||
+         iterator->p >= ( (FT_Byte*)colr->table + colr->table_size ) )
       return 0;
 
     *aglyph_index = FT_NEXT_USHORT( iterator->p );