[sfnt] Guard access when requesting child table pointer
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51816
- src/sfnt/ttcolr.c (tt_face_get_colorline_stops): Tighten pointer
bounds checks.
(read_paint): Tighten pointer bounds checks.
(get_child_table_pointer): Check whether incoming pointer p lies within
the
COLR
table.