ass_render: fix potential NULL deref

The logic here is pretty complicated. The caller of this function guards
it with "if(info->bm || info->bm_o){", and generally indeed only one of
them is set. But in some cases, both are needed. fix_outline()
definitely dereferences both. This is not necessarily guaranteed, e.g.
on out of memory errors. Add the missing checks.

Fixes CID 146125.

1 files changed, 2 insertions, 2 deletions

diff --git a/libass/ass_render.c b/libass/ass_render.c
index 5bc98d1..88ab734 100644
--- a/libass/ass_render.c
+++ b/libass/ass_render.c
@@ -1785,7 +1785,7 @@ static int is_new_bm_run(GlyphInfo *info, GlyphInfo *last)
 static void make_shadow_bitmap(CombinedBitmapInfo *info, ASS_Renderer *render_priv)
 {
     if (!(info->filter.flags & FILTER_NONZERO_SHADOW)) {
-        if (info->bm_o && !(info->filter.flags & FILTER_BORDER_STYLE_3)) {
+        if (info->bm && info->bm_o && !(info->filter.flags & FILTER_BORDER_STYLE_3)) {
             fix_outline(info->bm, info->bm_o);
         } else if (info->bm_o && !(info->filter.flags & FILTER_NONZERO_BORDER)) {
             ass_free_bitmap(info->bm_o);
@@ -1795,7 +1795,7 @@ static void make_shadow_bitmap(CombinedBitmapInfo *info, ASS_Renderer *render_pr
     }
 
     // Create shadow and fix outline as needed
-    if (info->bm_o && !(info->filter.flags & FILTER_BORDER_STYLE_3)) {
+    if (info->bm && info->bm_o && !(info->filter.flags & FILTER_BORDER_STYLE_3)) {
         info->bm_s = copy_bitmap(render_priv->engine, info->bm_o);
         fix_outline(info->bm, info->bm_o);
     } else if (info->bm_o && (info->filter.flags & FILTER_NONZERO_BORDER)) {