From a297feab0e7cdd8e9fa88965cd8d9591f5e6b4d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dominik=20R=C3=B6ttsches?= <drott@chromium.org>
Date: Tue, 17 Jan 2023 14:30:48 +0200
Subject: [PATCH] [sfnt] Avoid nullptr dereference in reading malformed 'COLR'
 v1 table.

Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=1408044.

* src/sfnt/ttcolr.c (tt_face_load_colr): When the 'COLR' v1 table header is
too small, don't deallocate delta set index map structures.
---
 src/sfnt/ttcolr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/sfnt/ttcolr.c b/src/sfnt/ttcolr.c
index 369d28c9c..f98c60c87 100644
--- a/src/sfnt/ttcolr.c
+++ b/src/sfnt/ttcolr.c
@@ -190,7 +190,7 @@
 #endif
 
     if ( table_size < COLRV0_HEADER_SIZE )
-      goto InvalidTable;
+      goto NoColr;
 
     if ( FT_FRAME_EXTRACT( table_size, table ) )
       goto NoColr;