diff options
author | Oleg Oshmyan <chortos@inbox.lv> | 2017-02-04 01:05:29 +0200 |
---|---|---|
committer | Oleg Oshmyan <chortos@inbox.lv> | 2020-10-18 05:01:31 +0300 |
commit | b06e2975240de9aca03dd6af5c45bee964678ec4 (patch) | |
tree | b4097e38b70f10181d03143f92cfa9d4231efb0b | |
parent | 84928b1fb100004686ac61851720da9247cad34b (diff) | |
download | libass-b06e2975240de9aca03dd6af5c45bee964678ec4.tar.bz2 libass-b06e2975240de9aca03dd6af5c45bee964678ec4.tar.xz |
Fix integer overflow while parsing \fad(arg, large negative number)
If t3 is initially negative, it should be set to a value larger
than the duration of the event. This triggers the `now < t3` branch
in interpolate_alpha (if none of the earlier branches are taken).
The same effect can be achieved by setting t3 to the duration itself.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=531.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3905.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11736.
-rw-r--r-- | libass/ass_parse.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/libass/ass_parse.c b/libass/ass_parse.c index b40cc33..ef5c01f 100644 --- a/libass/ass_parse.c +++ b/libass/ass_parse.c @@ -603,7 +603,12 @@ char *parse_tags(ASS_Renderer *render_priv, char *p, char *end, double pwr, if (t1 == -1 && t4 == -1) { t1 = 0; t4 = render_priv->state.event->Duration; - t3 = t4 - t3; + // The value we parsed in t3 is an offset from the event end. + // What we really want in t3 is an offset from the event start. + // To this end, set t3 to (event duration - parsed value). + // If t3 >= t4, the exact value of t3 will not matter, + // so clamp it to avoid overflow in the subtraction. + t3 = t4 - FFMAX(t3, 0); } if ((render_priv->state.parsed_tags & PARSED_FADE) == 0) { render_priv->state.fade = |