Fix invalid memory read

Buffer might be relocated inside replace_glyphs().

Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=895117

src/hb-ot-shape-normalize.cc

@@ -225,7 +225,8 @@ handle_variation_selector_cluster (const hb_ot_shape_normalize_context_t *c,
       /* The next two lines are some ugly lines... But work. */
       if (font->get_variation_glyph (buffer->cur().codepoint, buffer->cur(+1).codepoint, &buffer->cur().glyph_index()))
       {
-	buffer->replace_glyphs (2, 1, &buffer->cur().codepoint);
+	hb_codepoint_t unicode = buffer->cur().codepoint;
+	buffer->replace_glyphs (2, 1, &unicode);
       }
       else
       {