[sfnt] Pointer validity check when reading COLR 'v1' layers
- src/sfnt/ttcolr.c (tt_face_get_paint_layers): In addition to the existing sanity checks, ensure that the pointer to the layer to be read is within the 'COLR' v1 table.
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34892