[sfnt] Pointer validity check when reading COLR 'v1' layers

* src/sfnt/ttcolr.c (tt_face_get_paint_layers): In addition to the
existing sanity checks, ensure that the pointer to the layer to be
read is within the 'COLR' v1 table.

2 files changed, 15 insertions, 0 deletions

diff --git a/ChangeLog b/ChangeLog
index 190efa6be..1c617938b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2021-06-08  Dominik Röttsches  <drott@chromium.org>
+
+	[sfnt] Pointer validity check when reading COLR 'v1' layers
+
+	* src/sfnt/ttcolr.c (tt_face_get_paint_layers): In addition to the
+	existing sanity checks, ensure that the pointer to the layer to be
+	read is within the 'COLR' v1 table.
+
 2021-06-08  Werner Lemberg  <wl@gnu.org>
 
 	* src/sdf/ftsdfcommon.c: Fix inclusion of header files.
diff --git a/src/sfnt/ttcolr.c b/src/sfnt/ttcolr.c
index fa58a90a3..c3f225d66 100644
--- a/src/sfnt/ttcolr.c
+++ b/src/sfnt/ttcolr.c
@@ -702,6 +702,13 @@
     p = iterator->p;
 
     /*
+     * First ensure that p is within COLRv1.
+     */
+    if ( p < colr->base_glyphs_v1                          ||
+         p >= ( (FT_Byte*)colr->table + colr->table_size ) )
+      return 0;
+
+    /*
      * Do a cursor sanity check of the iterator.  Counting backwards from
      * where it stands, we need to end up at a position after the beginning
      * of the `LayerV1List` table and not after the end of the