[sfnt] Pointer validity check when reading COLR 'v1' layers

* src/sfnt/ttcolr.c (tt_face_get_paint_layers): In addition to the existing sanity checks, ensure that the pointer to the layer to be read is within the 'COLR' v1 table.
4 years ago · ee6d03d369
parent 41fa19fcea
commit ee6d03d369
2 changed files with 15 additions and 0 deletions
--- a/8
+++ b/8
@ -1,3 +1,11 @@
+2021-06-08  Dominik Röttsches  <drott@chromium.org>
+
+	[sfnt] Pointer validity check when reading COLR 'v1' layers
+
+	* src/sfnt/ttcolr.c (tt_face_get_paint_layers): In addition to the
+	existing sanity checks, ensure that the pointer to the layer to be
+	read is within the 'COLR' v1 table.
+
 2021-06-08  Werner Lemberg  <wl@gnu.org>

 	* src/sdf/ftsdfcommon.c: Fix inclusion of header files.
--- a/src/sfnt/ttcolr.c
+++ b/src/sfnt/ttcolr.c
@ -701,6 +701,13 @@
     */
    p = iterator->p;

+    /*
+     * First ensure that p is within COLRv1.
+     */
+    if ( p < colr->base_glyphs_v1                          ||
+         p >= ( (FT_Byte*)colr->table + colr->table_size ) )
+      return 0;
+
    /*
     * Do a cursor sanity check of the iterator.  Counting backwards from
     * where it stands, we need to end up at a position after the beginning