[sfnt] Guard access when requesting child table pointer (!204) · Merge requests · FreeType / FreeType · GitLab

Dominik Röttsches requested to merge drott/freetype:ossFuzzChildTable into master Sep 27, 2022

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51816

src/sfnt/ttcolr.c (tt_face_get_colorline_stops): Tighten pointer bounds checks. (read_paint): Tighten pointer bounds checks. (get_child_table_pointer): Check whether incoming pointer p lies within the COLR table.