diff options
author | wm4 <wm4@nowhere> | 2014-11-16 17:23:12 +0100 |
---|---|---|
committer | wm4 <wm4@nowhere> | 2014-11-16 17:23:12 +0100 |
commit | 045f646ab3b076002aef5e24b3e51713f40492cc (patch) | |
tree | 9442b701aa1e56cf6ed3a45607a4715943b71f08 | |
parent | 5d654cff0a2e27e1610ba2356efa703dcdfd297f (diff) | |
download | libass-045f646ab3b076002aef5e24b3e51713f40492cc.tar.bz2 libass-045f646ab3b076002aef5e24b3e51713f40492cc.tar.xz |
Check bitmap allocation for overflows
This actually fixes #146.
The overflow check itself is obvious. Also, make ass_align() return an
unaligned value if aligning it would overflow. This is probably better,
as it for example makes the overflow check in the caller simpler.
-rw-r--r-- | libass/ass_bitmap.c | 5 | ||||
-rw-r--r-- | libass/ass_utils.h | 2 |
2 files changed, 6 insertions, 1 deletions
diff --git a/libass/ass_bitmap.c b/libass/ass_bitmap.c index 11ca1e8..2c523b4 100644 --- a/libass/ass_bitmap.c +++ b/libass/ass_bitmap.c @@ -230,7 +230,10 @@ static Bitmap *alloc_bitmap_raw(int w, int h) Bitmap *bm; unsigned align = (w >= 32) ? 32 : ((w >= 16) ? 16 : 1); - unsigned s = ass_align(align, w); + size_t s = ass_align(align, w); + // Too often we use ints as offset for bitmaps => use INT_MAX. + if (s > (INT_MAX - 32) / FFMAX(h, 1)) + return NULL; bm = malloc(sizeof(Bitmap)); if (!bm) return NULL; diff --git a/libass/ass_utils.h b/libass/ass_utils.h index 5055e88..1ce451c 100644 --- a/libass/ass_utils.h +++ b/libass/ass_utils.h @@ -98,6 +98,8 @@ double ass_strtod(const char *string, char **endPtr); static inline size_t ass_align(size_t alignment, size_t s) { + if (s > SIZE_MAX - (alignment - 1)) + return s; return (s + (alignment - 1)) & ~(alignment - 1); } |