From d9ff6f20ad3e5101dbed0164cbed10e0d0c26792 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Thu, 16 Mar 2017 20:20:51 +0100
Subject: [PATCH] * src/truetype/ttgxvar.c (tt_done_blend): Free `vvar_table'.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=883
---
 ChangeLog              |  8 ++++++++
 src/truetype/ttgxvar.c | 10 ++++++++++
 2 files changed, 18 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 5bbf50a1a..7dac7a2c1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2017-03-16  Werner Lemberg  <wl@gnu.org>
+
+	* src/truetype/ttgxvar.c (tt_done_blend): Free `vvar_table'.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=883
+
 2017-03-15  Werner Lemberg  <wl@gnu.org>
 
 	Remove clang compiler warnings (#50548).
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index 4ceee00e6..59615e22e 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -3696,6 +3696,16 @@
         FT_FREE( blend->hvar_table );
       }
 
+      if ( blend->vvar_table )
+      {
+        ft_var_done_item_variation_store( face,
+                                          &blend->vvar_table->itemStore );
+
+        FT_FREE( blend->vvar_table->widthMap.innerIndex );
+        FT_FREE( blend->vvar_table->widthMap.outerIndex );
+        FT_FREE( blend->vvar_table );
+      }
+
       if ( blend->mvar_table )
       {
         ft_var_done_item_variation_store( face,