Potential double-free of the name_mapping pointer in FcFreeTypeQueryFaceInternal
I think there's a potential double-free bug in the FcFreeTypeQueryFaceInternal function, introduced in 61573ad5.
If no nm_share pointer is passed in, the name_mapping pointer will be allocated at https://gitlab.freedesktop.org/fontconfig/fontconfig/-/blob/master/src/fcfreetype.c#L1443.
It will then (again, provided nm_share is null) be freed at https://gitlab.freedesktop.org/fontconfig/fontconfig/-/blob/master/src/fcfreetype.c#L1630.
But if something subsequently fails, and we jump to the bail1 cleanup code at https://gitlab.freedesktop.org/fontconfig/fontconfig/-/blob/master/src/fcfreetype.c#L2201, the already-freed name_mapping pointer will be freed again, AFAICS.
A simple fix would be to reset the pointer to NULL when it is freed in the main body of the function.