From 5e227133c16c1c9ff41a18a2b411a20afe81be6c Mon Sep 17 00:00:00 2001
From: Ben Wagner <bungeman@chromium.org>
Date: Sat, 15 Jan 2022 17:08:18 -0500
Subject: [PATCH] [pshinter] Avoid accessing uninitialized zone.

The `normal_top.count` may be 0, implying no `normal_top.zones` exist.
The code must not access these (non-existent) `normal_top.zones`.

* src/pshinter/pshalgo.c (ps_hints_apply): Do not assume that
`normal_top.zones[0]` is initialized. Test `normal_top.count`
before using `normal_top.zones[0]`. Do not rescale if there are no
`zones`.

Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43675
---
 src/pshinter/pshalgo.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/pshinter/pshalgo.c b/src/pshinter/pshalgo.c
index d68426359..1616c43fb 100644
--- a/src/pshinter/pshalgo.c
+++ b/src/pshinter/pshalgo.c
@@ -2110,14 +2110,17 @@
       FT_Fixed  old_x_scale = x_scale;
       FT_Fixed  old_y_scale = y_scale;
 
-      FT_Fixed  scaled;
-      FT_Fixed  fitted;
+      FT_Fixed  scaled = 0;
+      FT_Fixed  fitted = 0;
 
       FT_Bool  rescale = FALSE;
 
 
-      scaled = FT_MulFix( globals->blues.normal_top.zones->org_ref, y_scale );
-      fitted = FT_PIX_ROUND( scaled );
+      if ( globals->blues.normal_top.count )
+      {
+        scaled = FT_MulFix( globals->blues.normal_top.zones->org_ref, y_scale );
+        fitted = FT_PIX_ROUND( scaled );
+      }
 
       if ( fitted != 0 && scaled != fitted )
       {