From 8e3a1be3b3744337074b21bfb78739d8b1ee0364 Mon Sep 17 00:00:00 2001
From: Po Lu <luangruo@yahoo.com>
Date: Tue, 23 Jan 2024 10:30:51 +0800
Subject: [PATCH] Correct crash when executing IP within twilight zone

* src/sfnt.c (sfnt_address_zp2, sfnt_address_zp1)
(sfnt_address_zp0): Don't save into X or Y if the zone is set to
the twilight zone and they are NULL.

(cherry picked from commit 54abf10dfeeb890fa46c43f13e6c7468a0d945e4)
---
 src/sfnt.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/sfnt.c b/src/sfnt.c
index 36a7fbf3ea0..41dba8b486e 100644
--- a/src/sfnt.c
+++ b/src/sfnt.c
@@ -8563,8 +8563,12 @@ sfnt_address_zp2 (struct sfnt_interpreter *interpreter,
       if (number >= interpreter->twilight_zone_size)
 	TRAP ("address to ZP2 (twilight zone) out of bounds");
 
+      if (!x || !y)
+	goto next;
+
       *x = interpreter->twilight_x[number];
       *y = interpreter->twilight_y[number];
+    next:
 
       if (!x_org || !y_org)
 	return;
@@ -8614,8 +8618,12 @@ sfnt_address_zp1 (struct sfnt_interpreter *interpreter,
       if (number >= interpreter->twilight_zone_size)
 	TRAP ("address to ZP1 (twilight zone) out of bounds");
 
+      if (!x || !y)
+	goto next;
+
       *x = interpreter->twilight_x[number];
       *y = interpreter->twilight_y[number];
+    next:
 
       if (!x_org || !y_org)
 	return;
@@ -8665,8 +8673,12 @@ sfnt_address_zp0 (struct sfnt_interpreter *interpreter,
       if (number >= interpreter->twilight_zone_size)
 	TRAP ("address to ZP0 (twilight zone) out of bounds");
 
+      if (!x || !y)
+	goto next;
+
       *x = interpreter->twilight_x[number];
       *y = interpreter->twilight_y[number];
+    next:
 
       if (!x_org || !y_org)
 	return;
-- 
2.39.5