[truetype] Check avar_segment before access

* src/truetype/ttgxvar.c (tt_done_blend): check `avar_segment` before accessing to free its `correspondence`. Reported as: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53062
2022-11-07 16:58:56 -05:00 · 2022-11-07 16:58:56 -05:00 · 9154707f6b
commit 9154707f6b
parent d38407f79e
1 changed files with 6 additions and 3 deletions
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@ -4500,9 +4500,12 @@

      if ( blend->avar_table )
      {
-        for ( i = 0; i < num_axes; i++ )
-          FT_FREE( blend->avar_table->avar_segment[i].correspondence );
-        FT_FREE( blend->avar_table->avar_segment );
+        if ( blend->avar_table->avar_segment )
+        {
+          for ( i = 0; i < num_axes; i++ )
+            FT_FREE( blend->avar_table->avar_segment[i].correspondence );
+          FT_FREE( blend->avar_table->avar_segment );
+        }

        tt_var_done_item_variation_store( face,
                                          &blend->avar_table->itemStore );