* src/truetype/ttgxvar.c (tt_set_mm_blend): Test `coords`.

It is undefined behavior to pass `NULL` to `memcpy`.  `coords' is
passed to `memcpy` but `TT_Get_MM_Blend` and `TT_Get_Var_Design`
explictly call `tt_set_mm_blend` with `coords` as `NULL`.  In
addition, `TT_Set_MM_Blend` has a similar possible issue.

2 files changed, 13 insertions, 3 deletions

diff --git a/ChangeLog b/ChangeLog
index 9209ea8e7..34552ca17 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2021-07-01  Ben Wagner  <bungeman@chromium.org>
+
+	* src/truetype/ttgxvar.c (tt_set_mm_blend): Test `coords`.
+
+	It is undefined behavior to pass `NULL` to `memcpy`.  `coords' is
+	passed to `memcpy` but `TT_Get_MM_Blend` and `TT_Get_Var_Design`
+	explictly call `tt_set_mm_blend` with `coords` as `NULL`.  In
+	addition, `TT_Set_MM_Blend` has a similar possible issue.
+
 2021-06-30  Dominik Röttsches  <drott@chromium.org>
 
 	[sfnt] Support PaintScale in 'COLR' v1 parsing.
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index ad87746d8..aad3e2929 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -2663,9 +2663,10 @@
     }
 
     blend->num_axis = mmvar->num_axis;
-    FT_MEM_COPY( blend->normalizedcoords,
-                 coords,
-                 num_coords * sizeof ( FT_Fixed ) );
+    if ( coords )
+      FT_MEM_COPY( blend->normalizedcoords,
+                   coords,
+                   num_coords * sizeof ( FT_Fixed ) );
 
     if ( set_design_coords )
       ft_var_to_design( face,