[sfnt] Avoid nullptr dereference in reading malformed 'COLR' v1 table.

Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=1408044. * src/sfnt/ttcolr.c (tt_face_load_colr): When the 'COLR' v1 table header is too small, don't deallocate delta set index map structures.
2023-01-17 14:30:48 +02:00 · 2023-01-17 14:30:48 +02:00 · a297feab0e
commit a297feab0e
parent f80be4e959
1 changed files with 1 additions and 1 deletions
--- a/src/sfnt/ttcolr.c
+++ b/src/sfnt/ttcolr.c
@ -190,7 +190,7 @@
 #endif

    if ( table_size < COLRV0_HEADER_SIZE )
-      goto InvalidTable;
+      goto NoColr;

    if ( FT_FRAME_EXTRACT( table_size, table ) )
      goto NoColr;