[colr] Ensure enough bytes for PaintColrLayers

* src/sfnt/ttcolr.c (read_paint): check that there are five additional bytes to be read when reading PaintColrLayers. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66566
10 months ago · f42ce25563
parent 17545d4bf7
commit f42ce25563
1 changed files with 1 additions and 0 deletions
--- a/src/sfnt/ttcolr.c
+++ b/src/sfnt/ttcolr.c
@ -661,6 +661,7 @@
      FT_UInt32  first_layer_index;


+      ENSURE_READ_BYTES( 5 );
      num_layers = FT_NEXT_BYTE( p );
      if ( num_layers > colr->num_layers_v1 )
        return 0;