diff options
author | Dominik Röttsches <drott@chromium.org> | 2023-01-17 14:30:48 +0200 |
---|---|---|
committer | Werner Lemberg <wl@gnu.org> | 2023-01-18 08:22:53 +0100 |
commit | a297feab0e7cdd8e9fa88965cd8d9591f5e6b4d3 (patch) | |
tree | 19e6cc5df890c50a6d751fecfe59357336cd3756 | |
parent | f80be4e959a5d41688dd6e257497e2627ae2d967 (diff) | |
download | freetype2-a297feab0e7cdd8e9fa88965cd8d9591f5e6b4d3.tar.gz |
[sfnt] Avoid nullptr dereference in reading malformed 'COLR' v1 table.
Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=1408044.
* src/sfnt/ttcolr.c (tt_face_load_colr): When the 'COLR' v1 table header is
too small, don't deallocate delta set index map structures.
-rw-r--r-- | src/sfnt/ttcolr.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/sfnt/ttcolr.c b/src/sfnt/ttcolr.c index 369d28c9c..f98c60c87 100644 --- a/src/sfnt/ttcolr.c +++ b/src/sfnt/ttcolr.c @@ -190,7 +190,7 @@ #endif if ( table_size < COLRV0_HEADER_SIZE ) - goto InvalidTable; + goto NoColr; if ( FT_FRAME_EXTRACT( table_size, table ) ) goto NoColr; |