* src/sfnt/ttcolr.c (tt_face_get_color_glyph_clipbox): Add limit checks.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40716
diff --git a/src/sfnt/ttcolr.c b/src/sfnt/ttcolr.c
index 8f5cc8b..4d382de 100644
--- a/src/sfnt/ttcolr.c
+++ b/src/sfnt/ttcolr.c
@@ -824,7 +824,7 @@
{
Colr* colr;
- FT_Byte *p, *p1, *clip_base;
+ FT_Byte *p, *p1, *clip_base, *limit;
FT_Byte clip_list_format;
FT_ULong num_clip_boxes, i;
@@ -847,6 +847,11 @@
p = colr->clip_list;
+ limit = (FT_Byte*)colr->table + colr->table_size;
+
+ if ( p >= limit - ( 1 + 4 ) )
+ return 0;
+
clip_base = p;
clip_list_format = FT_NEXT_BYTE ( p );
@@ -857,6 +862,10 @@
num_clip_boxes = FT_NEXT_ULONG( p );
+ if ( colr->table_size / ( 2 + 2 + 3 ) < num_clip_boxes ||
+ p >= limit - ( 2 + 2 + 3 ) * num_clip_boxes )
+ return 0;
+
for ( i = 0; i < num_clip_boxes; ++i )
{
gid_start = FT_NEXT_USHORT( p );
@@ -867,7 +876,7 @@
{
p1 = (FT_Byte*)( clip_base + clip_box_offset );
- if ( p1 >= ( (FT_Byte*)colr->table + colr->table_size ) )
+ if ( p1 >= limit - 1 )
return 0;
format = FT_NEXT_BYTE( p1 );
@@ -875,6 +884,9 @@
if ( format > 1 )
return 0;
+ if ( p1 >= limit - ( 2 + 2 + 2 + 2 ) )
+ return 0;
+
/* `face->root.size->metrics.x_scale` and `y_scale` are factors */
/* that scale a font unit value in integers to a 26.6 fixed value */
/* according to the requested size, see for example */