[sfnt] Guard access in 'COLR' v1 glyph binary search (!313) · Merge requests · FreeType / FreeType

src/sfnt/ttcolr.c (find_base_glyph_v1_record): Guard access of the search pointer during binary search. The pointer needs to be checked as we go as the check that compares number of V1 glyphs with table size at the time of loading the table is not sufficient on its own. A scenario is possible in which the BaseGlyphRecord list extends into non BaseGlyphRecord parts of the 'COLR' v1 table (but passed the size comparison check). Then, at those locations invalid gid values are read, and due to reassigning of min and max during binary search, may provoke an invalid read.

[sfnt] Guard access in 'COLR' v1 glyph binary search