From ba1a6acf288be44d0b816e3f520a9ab520c996d2 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Fri, 15 Jan 2021 10:09:00 +0100
Subject: [PATCH] [sfnt] Additional checks for 'colr' table presence.

* sfnt/ttcolr.c (tt_face_get_colr_glyph_paint,
tt_face_get_colorline_stops, tt_face_get_paint): Additional checks
for whether colr table is present.  Prevents crashes when these
methods are called on non-COLR fonts.
---
 ChangeLog         | 9 +++++++++
 src/sfnt/ttcolr.c | 9 +++++++++
 2 files changed, 18 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index eee310039..a8b5cda45 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2021-01-14  Dominik Röttsches  <drott@chromium.org>
+
+	[sfnt] Additional checks for 'colr' table presence.
+
+	* sfnt/ttcolr.c (tt_face_get_colr_glyph_paint,
+	tt_face_get_colorline_stops, tt_face_get_paint): Additional checks
+	for whether colr table is present.  Prevents crashes when these
+	methods are called on non-COLR fonts.
+
 2021-01-13  Dominik Röttsches  <drott@chromium.org>
 
 	Add config option to test for 'COLR' v1 support in headers.
diff --git a/src/sfnt/ttcolr.c b/src/sfnt/ttcolr.c
index a39773d61..9de391d37 100644
--- a/src/sfnt/ttcolr.c
+++ b/src/sfnt/ttcolr.c
@@ -665,6 +665,9 @@
     FT_Byte*           p;
 
 
+    if ( !colr )
+      return 0;
+
     if ( colr->version < 1 || !colr->num_base_glyphs_v1 ||
          !colr->base_glyphs_v1 )
       return 0;
@@ -755,6 +758,9 @@
     FT_Byte*  p;
 
 
+    if ( !colr )
+      return 0;
+
     if ( iterator->current_color_stop >= iterator->num_color_stops )
       return 0;
 
@@ -793,6 +799,9 @@
     FT_Byte*  p;
 
 
+    if ( !colr )
+      return 0;
+
     if ( opaque_paint.p < (FT_Byte*)colr->table                         ||
          opaque_paint.p >= ( (FT_Byte*)colr->table + colr->table_size ) )
       return 0;