From 9154707f6bc9592e0761376d3bf00ffc00275781 Mon Sep 17 00:00:00 2001
From: Ben Wagner <bungeman@chromium.org>
Date: Mon, 7 Nov 2022 16:58:56 -0500
Subject: [PATCH] [truetype] Check avar_segment before access

* src/truetype/ttgxvar.c (tt_done_blend): check `avar_segment` before
accessing to free its `correspondence`.

Reported as:

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53062
---
 src/truetype/ttgxvar.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index 1bc8f9dee..71ff20e35 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -4500,9 +4500,12 @@
 
       if ( blend->avar_table )
       {
-        for ( i = 0; i < num_axes; i++ )
-          FT_FREE( blend->avar_table->avar_segment[i].correspondence );
-        FT_FREE( blend->avar_table->avar_segment );
+        if ( blend->avar_table->avar_segment )
+        {
+          for ( i = 0; i < num_axes; i++ )
+            FT_FREE( blend->avar_table->avar_segment[i].correspondence );
+          FT_FREE( blend->avar_table->avar_segment );
+        }
 
         tt_var_done_item_variation_store( face,
                                           &blend->avar_table->itemStore );