[sfnt] Additional bounds checks in `COLR` v1. (!216) · Merge requests · FreeType / FreeType · GitLab

Due to an influx of spam, we have had to impose restrictions on new accounts. Please see this wiki page for instructions on how to get full permissions. Sorry for the inconvenience.

Dominik Röttsches requested to merge drott/freetype:moreBoundsChecks into master Oct 18, 2022

src/sfnt/ttcolr.c (read_paint): Use new ENSURE_READ_BYTES macro, ensure that 3 bytes can be read. (tt_face_get_paint_layers): Ensure that the 4-byte paint table offset can be read.

Follow up to !124 (merged) and issue https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52404