diff options
author | wm4 <wm4@nowhere> | 2014-11-16 21:35:48 +0100 |
---|---|---|
committer | wm4 <wm4@nowhere> | 2014-11-16 21:35:48 +0100 |
commit | 547468c75e63c7ae0794c4278c916a28df7a6b61 (patch) | |
tree | b23e4b038b89d895debf8e2f26abfa7e2945124f | |
parent | 4349eaea54f96b058a2014bb77a5acdf66195965 (diff) | |
download | libass-547468c75e63c7ae0794c4278c916a28df7a6b61.tar.bz2 libass-547468c75e63c7ae0794c4278c916a28df7a6b61.tar.xz |
Some more overflow checks
-rw-r--r-- | libass/ass_bitmap.c | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/libass/ass_bitmap.c b/libass/ass_bitmap.c index 658e2c7..cb059f1 100644 --- a/libass/ass_bitmap.c +++ b/libass/ass_bitmap.c @@ -287,6 +287,9 @@ Bitmap *outline_to_bitmap(ASS_Renderer *render_priv, return NULL; } + if (bord < 0 || bord > INT_MAX / 2) + return NULL; + if (rst->x_min >= rst->x_max || rst->y_min >= rst->y_max) { Bitmap *bm = alloc_bitmap(2 * bord, 2 * bord); if (!bm) @@ -295,6 +298,9 @@ Bitmap *outline_to_bitmap(ASS_Renderer *render_priv, return bm; } + if (rst->x_max > INT_MAX - 63 || rst->y_max > INT_MAX - 63) + return NULL; + int x_min = rst->x_min >> 6; int y_min = rst->y_min >> 6; int x_max = (rst->x_max + 63) >> 6; @@ -302,13 +308,15 @@ Bitmap *outline_to_bitmap(ASS_Renderer *render_priv, int w = x_max - x_min; int h = y_max - y_min; - if (w < 0 || h < 0 || w > 8000000 / FFMAX(h, 1)) { + int mask = (1 << rst->tile_order) - 1; + + if (w < 0 || h < 0 || w > 8000000 / FFMAX(h, 1) || + w > INT_MAX - (2 * bord + mask) || h > INT_MAX - (2 * bord + mask)) { ass_msg(render_priv->library, MSGL_WARN, "Glyph bounding box too large: %dx%dpx", w, h); return NULL; } - int mask = (1 << rst->tile_order) - 1; int tile_w = (w + 2 * bord + mask) & ~mask; int tile_h = (h + 2 * bord + mask) & ~mask; Bitmap *bm = alloc_bitmap(tile_w, tile_h); @@ -358,6 +366,8 @@ Bitmap *outline_to_bitmap(ASS_Renderer *render_priv, bbox.xMin &= ~63; bbox.yMin &= ~63; FT_Outline_Translate(outline, -bbox.xMin, -bbox.yMin); + if (bbox.xMax > INT_MAX - 63 || bbox.yMax > INT_MAX - 63) + return NULL; // bitmap size bbox.xMax = (bbox.xMax + 63) & ~63; bbox.yMax = (bbox.yMax + 63) & ~63; @@ -367,7 +377,8 @@ Bitmap *outline_to_bitmap(ASS_Renderer *render_priv, bbox.xMin >>= 6; bbox.yMax >>= 6; - if (w < 0 || h < 0 || w > 8000000 / FFMAX(h, 1)) { + if (w < 0 || h < 0 || w > 8000000 / FFMAX(h, 1) || + w > INT_MAX - 2 * bord || h > INT_MAX - 2 * bord) { ass_msg(render_priv->library, MSGL_WARN, "Glyph bounding box too large: %dx%dpx", w, h); return NULL; @@ -668,7 +679,7 @@ int outline_to_bitmap3(ASS_Renderer *render_priv, FT_Outline *outline, FT_Outlin { blur_radius *= 2; int bbord = be > 0 ? sqrt(2 * be) : 0; - int gbord = blur_radius > 0.0 ? blur_radius + 1 : 0; + int gbord = blur_radius > 0.0 ? FFMAX(blur_radius + 1, INT_MAX) : 0; int bord = FFMAX(bbord, gbord); if (bord == 0 && (shadow_offset.x || shadow_offset.y)) bord = 1; |