From b047e299546ac3abb79cf0bac3c67f5c2dfc7fb6 Mon Sep 17 00:00:00 2001
From: Akira TAGOH <akira@tagoh.org>
Date: Fri, 30 Nov 2018 10:42:26 +0000
Subject: [PATCH] Fix a dereference of a null pointer

When exiting from for loop by not satisfying the condition of `(s = next[i])` at FcCacheRemoveUnlocked()
referring s->alloated will be invalid.
---
 src/fccache.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/src/fccache.c b/src/fccache.c
index 87073ba..3352a66 100644
--- a/src/fccache.c
+++ b/src/fccache.c
@@ -710,15 +710,18 @@ FcCacheRemoveUnlocked (FcCache *cache)
     while (fcCacheMaxLevel > 0 && fcCacheChains[fcCacheMaxLevel - 1] == NULL)
 	fcCacheMaxLevel--;
 
-    allocated = s->allocated;
-    while (allocated)
+    if (s)
     {
-	/* First element in allocated chunk is the free list */
-	next = *(void **)allocated;
-	free (allocated);
-	allocated = next;
+	allocated = s->allocated;
+	while (allocated)
+	{
+	    /* First element in allocated chunk is the free list */
+	    next = *(void **)allocated;
+	    free (allocated);
+	    allocated = next;
+	}
+	free (s);
     }
-    free (s);
 }
 
 static FcCache *