diff options
author | Oneric <oneric@oneric.stub> | 2022-01-22 18:23:49 +0100 |
---|---|---|
committer | Oneric <oneric@oneric.stub> | 2022-08-19 19:16:40 +0200 |
commit | a48c98c274df25cc8d60cac1402948387d49840c (patch) | |
tree | a60b66aed600acc06cd617dc884c645e1882bdd4 /libass | |
parent | 7cb7d0279f069dffe2a14a7088fae31d95caa4d5 (diff) | |
download | libass-a48c98c274df25cc8d60cac1402948387d49840c.tar.bz2 libass-a48c98c274df25cc8d60cac1402948387d49840c.tar.xz |
wrap_lines: fix unsafe reallocation
Previously the multiplication of max_lines by two could overflow, the
multiplication of the new max_lines with the member size could overflow
whether the reallocation was successful was not checked, making UB like
signed overflow, out-of-bound reads and nullpointer-access possible.
Diffstat (limited to 'libass')
-rw-r--r-- | libass/ass_render.c | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/libass/ass_render.c b/libass/ass_render.c index eb1e526..9723d20 100644 --- a/libass/ass_render.c +++ b/libass/ass_render.c @@ -1685,11 +1685,18 @@ wrap_lines_naive(ASS_Renderer *render_priv, double max_text_width, char *unibrks // marking break_at+1 as start of a new line int lead = break_at + 1; // the first symbol of the new line if (text_info->n_lines >= text_info->max_lines) { - // Raise maximum number of lines - text_info->max_lines *= 2; - text_info->lines = realloc(text_info->lines, - sizeof(LineInfo) * - text_info->max_lines); + // Try to raise the maximum number of lines + bool success = false; + if (text_info->max_lines <= INT_MAX / 2) { + text_info->max_lines *= 2; + success = ASS_REALLOC_ARRAY(text_info->lines, text_info->max_lines); + } + // If realloc fails it's screwed and due to error-info not propagating (FIXME), + // the best we can do is to avoid UB by discarding the previous break + if (!success) { + s1->linebreak = 0; + text_info->n_lines--; + } } if (lead < text_info->length) { text_info->glyphs[lead].linebreak = break_type; |