From 10d8de7541ab1f26f6f04b2118d13a92a7119102 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dominik=20R=C3=B6ttsches?= <drott@chromium.org>
Date: Mon, 30 Dec 2019 11:22:04 +0200
Subject: [PATCH] [truetype] Fix UBSan warning on offset to nullptr (#57501).

* src/truetype/ttinterp.c (Ins_CALL): Fail if `exc->FDefs' is null.
---
 ChangeLog               | 6 ++++++
 src/truetype/ttinterp.c | 3 +++
 2 files changed, 9 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 5447fc4fc..f7f2d6891 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2020-01-02  Dominik Röttsches  <drott@chromium.org>
+
+	[truetype] Fix UBSan warning on offset to nullptr (#57501).
+
+	* src/truetype/ttinterp.c (Ins_CALL): Fail if `exc->FDefs' is null.
+
 2019-12-31  Nikhil Ramakrishnan  <ramakrishnan.nikhil@gmail.com>
 
 	[woff2] Allow bitmap-only fonts (#57394).
diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index dca11d739..56cf53bde 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -3965,6 +3965,9 @@
     if ( BOUNDSL( F, exc->maxFunc + 1 ) )
       goto Fail;
 
+    if ( !exc->FDefs )
+      goto Fail;
+
     /* Except for some old Apple fonts, all functions in a TrueType */
     /* font are defined in increasing order, starting from 0.  This */
     /* means that we normally have                                  */