diff options
| author | Oneric <oneric@oneric.stub> | 2021-08-08 22:39:15 +0200 |
|---|---|---|
| committer | Oneric <oneric@oneric.stub> | 2021-08-09 00:56:01 +0200 |
| commit | 1daecf4e5c056da08fbd365cd8e7603b5af9b607 (patch) | |
| tree | a27e5200f5b13468249c8025b21082444158143c /libass/ass_fontselect.c | |
| parent | 729e48a1eb90bd56b4bb670ee9c8c3821ef12c45 (diff) | |
| download | libass-1daecf4e5c056da08fbd365cd8e7603b5af9b607.tar.bz2 libass-1daecf4e5c056da08fbd365cd8e7603b5af9b607.tar.xz | |
Fix UB introduced in the previous commit
The preceding commit 729e48a1eb90bd56b4bb670ee9c8c3821ef12c45
introduced the possibility of UB, when one of the following is true:
- the namelen calculation of the first path overflows to exactly zero
resulting in a NULL namebuf being passed to ass_msg and read_file
- size_t gets promoted to int and the namelen calculation
results in a signed integer overflow
To fix the former we check the namelen calculation for
wrap-arounds and skip such overly long paths.
To fix the latter we specify the constant as an unsigned integer
ensuring type promotion will be done to the larger type between
size_t and unsigned, but never to signed int.
Thanks to Oleg Oshmyan for noticing and helping to fix this.
Diffstat (limited to 'libass/ass_fontselect.c')
| -rw-r--r-- | libass/ass_fontselect.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/libass/ass_fontselect.c b/libass/ass_fontselect.c index 5ba526c..c99fb62 100644 --- a/libass/ass_fontselect.c +++ b/libass/ass_fontselect.c @@ -180,7 +180,9 @@ static void load_fonts_from_dir(ASS_Library *library, const char *dir) break; if (entry->d_name[0] == '.') continue; - size_t namelen = dirlen + strlen(entry->d_name) + 2; + size_t namelen = dirlen + strlen(entry->d_name) + 2u; + if (namelen < 2 || namelen - 2 < dirlen) + continue; if (namelen > namemax) { size_t newlen = FFMAX(2048, namelen + 256); if (ASS_REALLOC_ARRAY(namebuf, newlen)) |