Commit a297feab0e7cdd8e9fa88965cd8d9591f5e6b4d3
2023-01-17T14:30:48
[sfnt] Avoid nullptr dereference in reading malformed 'COLR' v1 table. Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=1408044. * src/sfnt/ttcolr.c (tt_face_load_colr): When the 'COLR' v1 table header is too small, don't deallocate delta set index map structures.
diff --git a/src/sfnt/ttcolr.c b/src/sfnt/ttcolr.c
index 369d28c..f98c60c 100644
--- a/src/sfnt/ttcolr.c
+++ b/src/sfnt/ttcolr.c
@@ -190,7 +190,7 @@
#endif
if ( table_size < COLRV0_HEADER_SIZE )
- goto InvalidTable;
+ goto NoColr;
if ( FT_FRAME_EXTRACT( table_size, table ) )
goto NoColr;