[sfnt] Fix memory leak in handling `COLR' data.

* src/truetype/ttgload.c (TT_Load_Glyph): Free old `layers' array
before reassigning allocated memory.
Only allocate `color_layers' if we don't have one already.

ChangeLog

@@ -1,3 +1,11 @@
+2018-05-15  Werner Lemberg  <wl@gnu.org>
+
+	[sfnt] Fix memory leak in handling `COLR' data.
+
+	* src/truetype/ttgload.c (TT_Load_Glyph): Free old `layers' array
+	before reassigning allocated memory.
+	Only allocate `color_layers' if we don't have one already.
+
 2018-05-15  Werner Lemberg  <wl@gnu.org>
 
 	[sfnt] If `COLR' is present, don't assume that all glyphs use it.

src/sfnt/ttcolr.c

@@ -268,7 +268,7 @@
       FT_Int    mid = min + ( max - min ) / 2;
       FT_Byte*  p   = base_glyph_begin + mid * BASE_GLYPH_SIZE;
 
-      FT_UShort  gid  = FT_NEXT_USHORT( p );
+      FT_UShort  gid = FT_NEXT_USHORT( p );
 
 
       if ( gid < glyph_id )

src/truetype/ttgload.c

@@ -2903,7 +2903,6 @@
 
       FT_Glyph_LayerRec*  glyph_layers;
       FT_UShort           num_glyph_layers;
-      FT_Colr_Internal    color_layers;
 
 
       error = sfnt->load_colr_layer( face,
@@ -2913,17 +2912,17 @@
       if ( error )
         return error;
 
-      if ( num_glyph_layers )
+      if ( !glyph->internal->color_layers )
       {
-        if ( FT_NEW( color_layers ) )
+        if ( FT_NEW( glyph->internal->color_layers ) )
           return error;
+      }
 
-        color_layers->layers     = glyph_layers;
-        color_layers->num_layers = num_glyph_layers;
-        color_layers->load_flags = load_flags;
+      FT_FREE( glyph->internal->color_layers->layers );
 
-        glyph->internal->color_layers = color_layers;
-      }
+      glyph->internal->color_layers->layers     = glyph_layers;
+      glyph->internal->color_layers->num_layers = num_glyph_layers;
+      glyph->internal->color_layers->load_flags = load_flags;
     }
 
   Exit: