From afb4ca0151959a8bedfb39a9a9140504168be7ea Mon Sep 17 00:00:00 2001
From: Ben Wagner <bungeman@chromium.org>
Date: Thu, 6 Jan 2022 12:54:15 -0500
Subject: [PATCH] [truetype] Reset localpoints when varying cvt.

When iterating over the cvt tuples and reading in the points it is necessary
to set all of `localpoints`, `points`, and `point_count` in all cases.  The
existing code did not reset `localpoints` to `NULL` when there were no
private point numbers.  If the previous tuple did have private point numbers
and set `localpoints` to `ALL_POINTS` this would not be cleared and the
wrong branch would be taken later, leading to possible heap buffer overflow.

* src/truetype/ttgxvar.c (tt_face_vary_cvt): Reset `localpoints` to `NULL`
when it isn't valid.

Fixes: https://crbug.com/1284742
---
 src/truetype/ttgxvar.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index 7f2db0cbd..55ff152e7 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -3476,6 +3476,7 @@
       }
       else
       {
+        localpoints = NULL;
         points      = sharedpoints;
         point_count = spoint_count;
       }