[sfnt] Pointer validity check when reading COLR 'v1' layers (!39) · Merge requests · FreeType / FreeType · GitLab

Due to an influx of spam, we have had to impose restrictions on new accounts. Please see this wiki page for instructions on how to get full permissions. Sorry for the inconvenience.

Dominik Röttsches requested to merge drott/freetype:colrv1fuzzfix2 into master Jun 08, 2021

src/sfnt/ttcolr.c (tt_face_get_paint_layers): In addition to the existing sanity checks, ensure that the pointer to the layer to be read is within the 'COLR' v1 table.

Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34892