[freetype2] master d3dc2da: * src/truetype/ttgxvar.c (tt_set_mm_blend): Test `coords`.

[Werner Lemberg]

branch: master
commit d3dc2da9b27af5b90575d62989389cc65fe7977c
Author: Ben Wagner <bungeman@chromium.org>
Commit: Werner Lemberg <wl@gnu.org>

    * src/truetype/ttgxvar.c (tt_set_mm_blend): Test `coords`.
    
    It is undefined behavior to pass `NULL` to `memcpy`.  `coords' is
    passed to `memcpy` but `TT_Get_MM_Blend` and `TT_Get_Var_Design`
    explictly call `tt_set_mm_blend` with `coords` as `NULL`.  In
    addition, `TT_Set_MM_Blend` has a similar possible issue.
---
 ChangeLog              | 9 +++++++++
 src/truetype/ttgxvar.c | 7 ++++---
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 9209ea8..34552ca 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2021-07-01  Ben Wagner  <bungeman@chromium.org>
+
+       * src/truetype/ttgxvar.c (tt_set_mm_blend): Test `coords`.
+
+       It is undefined behavior to pass `NULL` to `memcpy`.  `coords' is
+       passed to `memcpy` but `TT_Get_MM_Blend` and `TT_Get_Var_Design`
+       explictly call `tt_set_mm_blend` with `coords` as `NULL`.  In
+       addition, `TT_Set_MM_Blend` has a similar possible issue.
+
 2021-06-30  Dominik Röttsches  <drott@chromium.org>
 
        [sfnt] Support PaintScale in 'COLR' v1 parsing.
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index ad87746..aad3e29 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -2663,9 +2663,10 @@
     }
 
     blend->num_axis = mmvar->num_axis;
-    FT_MEM_COPY( blend->normalizedcoords,
-                 coords,
-                 num_coords * sizeof ( FT_Fixed ) );
+    if ( coords )
+      FT_MEM_COPY( blend->normalizedcoords,
+                   coords,
+                   num_coords * sizeof ( FT_Fixed ) );
 
     if ( set_design_coords )
       ft_var_to_design( face,