Avoid overflow in COLR bounds checks.
The values read into base_glyphs_offset_v1
and layer_offset_v1
may
be in the range 0xFFFFFFFD-0xFFFFFFFF. On systems where unsigned long
is 32 bits adding 4 to such values will wrap and pass bounds checks but
accessing values at such offsets will be out of bounds.
On the other hand table_size
has already been tested to be at least
COLRV1_HEADER_SIZE
(34) so it is safe to subtract 4 from it.
- src/sfnt/ttcolr.c (tt_face_load_colr): subtract 4 from
table_size
instead of adding 4 to font data offsets in bounds checks
Fixes: https://crbug.com/1469348