[2020-01-03] - Found with American Fuzzy Lop - CVE-2020-5395

Use-after-free (heap) in the SFD_GetFontMetaData() function, in sfd.c.

Issue can be reproduced by running:

```
fontforge test01.sfd
```

```
=================================================================
==7418==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000c8068 at pc 0x7f60f1122f2d bp 0x7fff16e6ff70 sp 0x7fff16e6f718
WRITE of size 48 at 0x6030000c8068 thread T0
    #0 0x7f60f1122f2c  (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x67f2c)
    #1 0x7f60ef2c7850 in SFD_GetFontMetaData /home/fcambus/fontforge-20190801/fontforge/sfd.c:8008
    #2 0x7f60ef2ccf66 in SFD_GetFont /home/fcambus/fontforge-20190801/fontforge/sfd.c:8502
    #3 0x7f60ef2d3e0f in SFD_Read /home/fcambus/fontforge-20190801/fontforge/sfd.c:9077
    #4 0x7f60ef2d4360 in _SFDRead /home/fcambus/fontforge-20190801/fontforge/sfd.c:9110
    #5 0x7f60ef32d7bd in _ReadSplineFont /home/fcambus/fontforge-20190801/fontforge/splinefont.c:1178
    #6 0x7f60ef32f0bf in ReadSplineFont /home/fcambus/fontforge-20190801/fontforge/splinefont.c:1321
    #7 0x7f60ef32f591 in LoadSplineFont /home/fcambus/fontforge-20190801/fontforge/splinefont.c:1379
    #8 0x7f60eeeedbbc in ViewPostScriptFont /home/fcambus/fontforge-20190801/fontforge/fontviewbase.c:1347
    #9 0x7f60f0d3c89e in fontforge_main /home/fcambus/fontforge-20190801/fontforgeexe/startui.c:1392
    #10 0x557137b971ec in main /home/fcambus/fontforge-20190801/fontforgeexe/main.c:33
    #11 0x7f60f03c81e2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x271e2)
    #12 0x557137b9710d in _start (/home/fcambus/fontforge-20190801/fontforgeexe/.libs/fontforge+0x110d)

0x6030000c8070 is located 0 bytes to the right of 32-byte region [0x6030000c8050,0x6030000c8070)
freed by thread T0 here:
    #0 0x7f60f11c86ef in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10d6ef)
    #1 0x7f60ee24c014 in _XReply (/usr/lib/x86_64-linux-gnu/libX11.so.6+0x40014)

previously allocated by thread T0 here:
    #0 0x7f60f11c8ae8 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10dae8)
    #1 0x7f60ed7a3cfd  (/usr/lib/x86_64-linux-gnu/libxcb.so.1+0xdcfd)

SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x67f2c) 
Shadow bytes around the buggy address:
  0x0c0680010fb0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x0c0680010fc0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c0680010fd0: fd fd fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c0680010fe0: fd fd fd fa fa fa fd fd fd fd fa fa 00 00 04 fa
  0x0c0680010ff0: fa fa 00 00 00 00 fa fa fd fd fd fa fa fa fd fd
=>0x0c0680011000: fd fd fa fa 00 00 00 fa fa fa fd fd fd[fd]fa fa
  0x0c0680011010: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0680011020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0680011030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0680011040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0680011050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==7418==ABORTING
```