From f42ce25563b73fed0123d18a2556b9ba01d2c76b Mon Sep 17 00:00:00 2001 From: Ben Wanger Date: Fri, 8 Mar 2024 14:55:12 -0500 Subject: [PATCH] [colr] Ensure enough bytes for PaintColrLayers * src/sfnt/ttcolr.c (read_paint): check that there are five additional bytes to be read when reading PaintColrLayers. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66566 --- src/sfnt/ttcolr.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/sfnt/ttcolr.c b/src/sfnt/ttcolr.c index 312b70a5f..1c3fd70d0 100644 --- a/src/sfnt/ttcolr.c +++ b/src/sfnt/ttcolr.c @@ -661,6 +661,7 @@ FT_UInt32 first_layer_index; + ENSURE_READ_BYTES( 5 ); num_layers = FT_NEXT_BYTE( p ); if ( num_layers > colr->num_layers_v1 ) return 0;