[truetype] Check avar_segment before access

* src/truetype/ttgxvar.c (tt_done_blend): check `avar_segment` before accessing to free its `correspondence`. Reported as: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53062
author: Ben Wagner <bungeman@chromium.org> 2022-11-07 16:58:56 -0500
committer: Ben Wagner <bungeman@chromium.org> 2022-11-09 19:15:26 +0000
commit: 9154707f6bc9592e0761376d3bf00ffc00275781 (patch)
tree: 1851bf640ba7c5fa49f46ac586edb493403ffbd3
parent: d38407f79ed554f256af896a9f8b12ad96fff7e5 (diff)
download: freetype2-9154707f6bc9592e0761376d3bf00ffc00275781.tar.gz
1 files changed, 6 insertions, 3 deletions
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index 1bc8f9dee..71ff20e35 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -4500,9 +4500,12 @@
 
       if ( blend->avar_table )
       {
-        for ( i = 0; i < num_axes; i++ )
-          FT_FREE( blend->avar_table->avar_segment[i].correspondence );
-        FT_FREE( blend->avar_table->avar_segment );
+        if ( blend->avar_table->avar_segment )
+        {
+          for ( i = 0; i < num_axes; i++ )
+            FT_FREE( blend->avar_table->avar_segment[i].correspondence );
+          FT_FREE( blend->avar_table->avar_segment );
+        }
 
         tt_var_done_item_variation_store( face,
                                           &blend->avar_table->itemStore );
author	Ben Wagner <bungeman@chromium.org>	2022-11-07 16:58:56 -0500
committer	Ben Wagner <bungeman@chromium.org>	2022-11-09 19:15:26 +0000
commit	9154707f6bc9592e0761376d3bf00ffc00275781 (patch)
tree	1851bf640ba7c5fa49f46ac586edb493403ffbd3
parent	d38407f79ed554f256af896a9f8b12ad96fff7e5 (diff)
download	freetype2-9154707f6bc9592e0761376d3bf00ffc00275781.tar.gz