minhngoc25a
/
freetype2
mirror of git://git.savannah.gnu.org/freetype/freetype2.git
2
1
Fork 2
Code Issues 4 Releases Wiki Activity

[sfnt] Avoid nullptr dereference in reading malformed 'COLR' v1 table. 

Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=1408044.

* src/sfnt/ttcolr.c (tt_face_load_colr): When the 'COLR' v1 table header is
too small, don't deallocate delta set index map structures.
This commit is contained in:
Dominik Röttsches 2023-01-17 14:30:48 +02:00 committed by Werner Lemberg
parent f80be4e959
commit a297feab0e
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/sfnt/ttcolr.c
View File

@ -190,7 +190,7 @@
#endif
if ( table_size < COLRV0_HEADER_SIZE )
goto InvalidTable;
goto NoColr;
if ( FT_FRAME_EXTRACT( table_size, table ) )
goto NoColr;