diff options
-rw-r--r-- | ChangeLog | 8 | ||||
-rw-r--r-- | src/sfnt/ttcolr.c | 7 |
2 files changed, 15 insertions, 0 deletions
@@ -1,3 +1,11 @@ +2021-06-08 Dominik Röttsches <drott@chromium.org> + + [sfnt] Pointer validity check when reading COLR 'v1' layers + + * src/sfnt/ttcolr.c (tt_face_get_paint_layers): In addition to the + existing sanity checks, ensure that the pointer to the layer to be + read is within the 'COLR' v1 table. + 2021-06-08 Werner Lemberg <wl@gnu.org> * src/sdf/ftsdfcommon.c: Fix inclusion of header files. diff --git a/src/sfnt/ttcolr.c b/src/sfnt/ttcolr.c index fa58a90a3..c3f225d66 100644 --- a/src/sfnt/ttcolr.c +++ b/src/sfnt/ttcolr.c @@ -702,6 +702,13 @@ p = iterator->p; /* + * First ensure that p is within COLRv1. + */ + if ( p < colr->base_glyphs_v1 || + p >= ( (FT_Byte*)colr->table + colr->table_size ) ) + return 0; + + /* * Do a cursor sanity check of the iterator. Counting backwards from * where it stands, we need to end up at a position after the beginning * of the `LayerV1List` table and not after the end of the |