From befee11296032fc8b25d87bf0f65c18bb67682bb Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Tue, 15 May 2018 17:01:22 +0200
Subject: [PATCH] [sfnt] Fix memory leak in handling `COLR' data.

* src/truetype/ttgload.c (TT_Load_Glyph): Free old `layers' array
before reassigning allocated memory.
Only allocate `color_layers' if we don't have one already.
---
 ChangeLog              |  8 ++++++++
 src/sfnt/ttcolr.c      |  2 +-
 src/truetype/ttgload.c | 17 ++++++++---------
 3 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 1a787b470..8f44a924f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2018-05-15  Werner Lemberg  <wl@gnu.org>
+
+	[sfnt] Fix memory leak in handling `COLR' data.
+
+	* src/truetype/ttgload.c (TT_Load_Glyph): Free old `layers' array
+	before reassigning allocated memory.
+	Only allocate `color_layers' if we don't have one already.
+
 2018-05-15  Werner Lemberg  <wl@gnu.org>
 
 	[sfnt] If `COLR' is present, don't assume that all glyphs use it.
diff --git a/src/sfnt/ttcolr.c b/src/sfnt/ttcolr.c
index 1e469f5a7..67d320b11 100644
--- a/src/sfnt/ttcolr.c
+++ b/src/sfnt/ttcolr.c
@@ -268,7 +268,7 @@
       FT_Int    mid = min + ( max - min ) / 2;
       FT_Byte*  p   = base_glyph_begin + mid * BASE_GLYPH_SIZE;
 
-      FT_UShort  gid  = FT_NEXT_USHORT( p );
+      FT_UShort  gid = FT_NEXT_USHORT( p );
 
 
       if ( gid < glyph_id )
diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c
index 459fe2ebf..0bd9af73f 100644
--- a/src/truetype/ttgload.c
+++ b/src/truetype/ttgload.c
@@ -2903,7 +2903,6 @@
 
       FT_Glyph_LayerRec*  glyph_layers;
       FT_UShort           num_glyph_layers;
-      FT_Colr_Internal    color_layers;
 
 
       error = sfnt->load_colr_layer( face,
@@ -2913,17 +2912,17 @@
       if ( error )
         return error;
 
-      if ( num_glyph_layers )
+      if ( !glyph->internal->color_layers )
       {
-        if ( FT_NEW( color_layers ) )
+        if ( FT_NEW( glyph->internal->color_layers ) )
           return error;
-
-        color_layers->layers     = glyph_layers;
-        color_layers->num_layers = num_glyph_layers;
-        color_layers->load_flags = load_flags;
-
-        glyph->internal->color_layers = color_layers;
       }
+
+      FT_FREE( glyph->internal->color_layers->layers );
+
+      glyph->internal->color_layers->layers     = glyph_layers;
+      glyph->internal->color_layers->num_layers = num_glyph_layers;
+      glyph->internal->color_layers->load_flags = load_flags;
     }
 
   Exit: