From 207ca38fb5e99a638e9ea86d86b28fc895661122 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Mon, 25 Jun 2018 18:50:00 +0200
Subject: [PATCH] [truetype] Fix memory leak.

* src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): Add initializers.
Fix typo in `goto' destination.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9071
---
 ChangeLog              | 11 +++++++++++
 src/truetype/ttgxvar.c | 43 ++++++++++++++++++++++++------------------
 2 files changed, 36 insertions(+), 18 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 49325f0f8..11de7b946 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2018-06-25  Werner Lemberg  <wl@gnu.org>
+
+	[truetype] Fix memory leak.
+
+	* src/truetype/ttgxvar.c (TT_Vary_Apply_Glyph_Deltas): Add initializers.
+	Fix typo in `goto' destination.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9071
+
 2018-06-25  Werner Lemberg  <wl@gnu.org>
 
 	* src/truetype/ttgxvar.c (tt_face_vary_cvt): Add initializers.
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index 97462a6e9..621572990 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -3626,32 +3626,39 @@
                               FT_Outline*  outline,
                               FT_UInt      n_points )
   {
-    FT_Stream   stream = face->root.stream;
-    FT_Memory   memory = stream->memory;
-    GX_Blend    blend  = face->blend;
+    FT_Error   error;
+    FT_Stream  stream = face->root.stream;
+    FT_Memory  memory = stream->memory;
 
     FT_Vector*  points_org = NULL;  /* coordinates in 16.16 format */
     FT_Vector*  points_out = NULL;  /* coordinates in 16.16 format */
     FT_Bool*    has_delta  = NULL;
 
-    FT_Error    error;
-    FT_ULong    glyph_start;
-    FT_UInt     tupleCount;
-    FT_ULong    offsetToData;
-    FT_ULong    here;
-    FT_UInt     i, j;
-    FT_Fixed*   tuple_coords    = NULL;
-    FT_Fixed*   im_start_coords = NULL;
-    FT_Fixed*   im_end_coords   = NULL;
-    FT_UInt     point_count, spoint_count = 0;
+    FT_ULong  glyph_start;
+
+    FT_UInt   tupleCount;
+    FT_ULong  offsetToData;
+
+    FT_ULong  here;
+    FT_UInt   i, j;
+
+    FT_Fixed*  tuple_coords    = NULL;
+    FT_Fixed*  im_start_coords = NULL;
+    FT_Fixed*  im_end_coords   = NULL;
+
+    GX_Blend  blend = face->blend;
+
+    FT_UInt  point_count;
+    FT_UInt  spoint_count = 0;
+
     FT_UShort*  sharedpoints = NULL;
     FT_UShort*  localpoints  = NULL;
     FT_UShort*  points;
 
-    FT_Fixed*  deltas_x;
-    FT_Fixed*  deltas_y;
-    FT_Fixed*  point_deltas_x;
-    FT_Fixed*  point_deltas_y;
+    FT_Fixed*  deltas_x       = NULL;
+    FT_Fixed*  deltas_y       = NULL;
+    FT_Fixed*  point_deltas_x = NULL;
+    FT_Fixed*  point_deltas_y = NULL;
 
 
     if ( !face->doblend || !blend )
@@ -3754,7 +3761,7 @@
                     " invalid tuple index\n" ));
 
         error = FT_THROW( Invalid_Table );
-        goto Fail2;
+        goto Fail3;
       }
       else
         FT_MEM_COPY(