[freetype2] wl/40716 3226c36a8: * src/sfnt/ttcolr.c (tt_face_get_color_glyph_clipbox): Add limit checks.

[Werner Lemberg]

branch: wl/40716
commit 3226c36a8f7d8bbe6d4d5004b0dd527c58f92011
Author: Werner Lemberg <wl@gnu.org>
Commit: Werner Lemberg <wl@gnu.org>

    * src/sfnt/ttcolr.c (tt_face_get_color_glyph_clipbox): Add limit checks.
    
    Reported as
    
      https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40716
---
 src/sfnt/ttcolr.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/sfnt/ttcolr.c b/src/sfnt/ttcolr.c
index 8f5cc8bcd..4d382de61 100644
--- a/src/sfnt/ttcolr.c
+++ b/src/sfnt/ttcolr.c
@@ -824,7 +824,7 @@
   {
     Colr*  colr;
 
-    FT_Byte  *p, *p1, *clip_base;
+    FT_Byte  *p, *p1, *clip_base, *limit;
 
     FT_Byte    clip_list_format;
     FT_ULong   num_clip_boxes, i;
@@ -847,6 +847,11 @@
 
     p = colr->clip_list;
 
+    limit = (FT_Byte*)colr->table + colr->table_size;
+
+    if ( p >= limit - ( 1 + 4 ) )
+      return 0;
+
     clip_base        = p;
     clip_list_format = FT_NEXT_BYTE ( p );
 
@@ -857,6 +862,10 @@
 
     num_clip_boxes = FT_NEXT_ULONG( p );
 
+    if ( colr->table_size / ( 2 + 2 + 3 ) < num_clip_boxes ||
+         p >= limit - ( 2 + 2 + 3 ) * num_clip_boxes       )
+      return 0;
+
     for ( i = 0; i < num_clip_boxes; ++i )
     {
       gid_start       = FT_NEXT_USHORT( p );
@@ -867,7 +876,7 @@
       {
         p1 = (FT_Byte*)( clip_base + clip_box_offset );
 
-        if ( p1 >= ( (FT_Byte*)colr->table + colr->table_size ) )
+        if ( p1 >= limit - 1 )
           return 0;
 
         format = FT_NEXT_BYTE( p1 );
@@ -875,6 +884,9 @@
         if ( format > 1 )
           return 0;
 
+        if ( p1 >= limit - ( 2 + 2 + 2 + 2 ) )
+          return 0;
+
         /* `face->root.size->metrics.x_scale` and `y_scale` are factors   */
         /* that scale a font unit value in integers to a 26.6 fixed value */
         /* according to the requested size, see for example               */