The vstore->regionCount and vstore->dataCount were read directly
from the data. However, vstore->varRegionList and vstore->varData
would still contain uninitialized entries with uninitialized
pointers in the event of an error, leading to issues when attempting
to clean up.
Reportd as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40104
* src/cff/cffload.c (cff_vstore_load): Read the region and data counts
into locals and update the vstore counts immediately after each entry
becomes free-able.
b5e003f1f2