From e662a9500f826a7f534170e981da4987ca8d83f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dominik=20R=C3=B6ttsches?= <drott@chromium.org>
Date: Mon, 19 Apr 2021 12:49:16 +0300
Subject: [PATCH] [sfnt] Return in 'COLR' v1 when layer pointer outside table

* src/sfnt/ttcolr.c (tt_face_get_paint_layers): Add missing return
when paint pointer outside table.
(read_paint): Add missing return when paint pointer outside table.
---
 ChangeLog         | 8 ++++++++
 src/sfnt/ttcolr.c | 2 ++
 2 files changed, 10 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 4b41688fa..9bd955369 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2021-04-19  Dominik Röttsches  <drott@chromium.org>
+
+	[sfnt] Return in 'COLR' v1 when layer pointer outside table
+
+	* src/sfnt/ttcolr.c (tt_face_get_paint_layers): Add missing return
+	when paint pointer outside table.
+	(read_paint): Add missing return when paint pointer outside table.
+
 2021-04-18  Alexei Podtelezhnikov  <apodtele@gmail.com>
 
 	[cache] Switch to lazy SBit setting.
diff --git a/src/sfnt/ttcolr.c b/src/sfnt/ttcolr.c
index 617ba9379..f3f396ad5 100644
--- a/src/sfnt/ttcolr.c
+++ b/src/sfnt/ttcolr.c
@@ -390,6 +390,7 @@
 
     if ( p < colr->base_glyphs_v1                          ||
          p >= ( (FT_Byte*)colr->table + colr->table_size ) )
+      return 0;
 
     apaint->format = FT_NEXT_BYTE( p );
 
@@ -725,6 +726,7 @@
 
     if ( p_paint < colr->base_glyphs_v1                          ||
          p_paint >= ( (FT_Byte*)colr->table + colr->table_size ) )
+      return 0;
 
     opaque_paint->p = p_paint;