From a99a8e2863a44dcf7397e27f73655e4e0cc36704 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Fri, 3 Jan 2020 18:09:12 +0100
Subject: [PATCH] [woff2] Fix memory leaks and a runtime warning.

Reported as

  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19773

* src/sfnt/sfwoff2.c (compute_ULong_sum): Add missing cast.
(reconstruct_hmtx): Add missing deallocation calls.
---
 ChangeLog          | 11 +++++++++++
 src/sfnt/sfwoff2.c | 10 +++++++++-
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index f7f2d6891..1051a361a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2020-01-03  Werner Lemberg  <wl@gnu.org>
+
+	[woff2] Fix memory leaks and a runtime warning.
+
+	Reported as
+
+	  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19773
+
+	* src/sfnt/sfwoff2.c (compute_ULong_sum): Add missing cast.
+	(reconstruct_hmtx): Add missing deallocation calls.
+
 2020-01-02  Dominik Röttsches  <drott@chromium.org>
 
 	[truetype] Fix UBSan warning on offset to nullptr (#57501).
diff --git a/src/sfnt/sfwoff2.c b/src/sfnt/sfwoff2.c
index 36ae6e703..23e826f3c 100644
--- a/src/sfnt/sfwoff2.c
+++ b/src/sfnt/sfwoff2.c
@@ -302,7 +302,7 @@
     {
       v = 0;
       for ( i = aligned_size ; i < size; ++i )
-        v |= buf[i] << ( 24 - 8 * ( i & 3 ) );
+        v |= (FT_ULong)buf[i] << ( 24 - 8 * ( i & 3 ) );
       checksum += v;
     }
 
@@ -1465,9 +1465,17 @@
     *sfnt_bytes = sfnt;
     *out_offset = dest_offset;
 
+    FT_FREE( advance_widths );
+    FT_FREE( lsbs );
+    FT_FREE( hmtx_table );
+
     return error;
 
   Fail:
+    FT_FREE( advance_widths );
+    FT_FREE( lsbs );
+    FT_FREE( hmtx_table );
+
     if ( !error )
       error = FT_THROW( Invalid_Table );