ass_bitmap: fix potential NULL deref

Another consequence of the trickiness in this code. This codepath for
opaque_box=1 assumes both bm_o and bm_g are set, but if memory
allocation fails somewhere, bm_o could be non-NULL, but bm_g NULL, which
then would result in a crash when accessing bm_g.

Possibly this code could be cleaned up to look much nicer (and not have
dozens of hidden, obscure bugs), but for now this fixes the potential
crash found by Coverity.

Fixes CID 146125.

1 files changed, 7 insertions, 3 deletions

diff --git a/libass/ass_bitmap.c b/libass/ass_bitmap.c
index 230c49e..f2480c8 100644
--- a/libass/ass_bitmap.c
+++ b/libass/ass_bitmap.c
@@ -60,12 +60,16 @@
 void ass_synth_blur(const BitmapEngine *engine, int opaque_box, int be,
                     double blur_radius, Bitmap *bm_g, Bitmap *bm_o)
 {
+    bool blur_g = !bm_o || opaque_box;
+    if (blur_g && !bm_g)
+        return;
+
     // Apply gaussian blur
     double r2 = blur_radius * blur_radius / log(256);
     if (r2 > 0.001) {
         if (bm_o)
             ass_gaussian_blur(engine, bm_o, r2);
-        if (!bm_o || opaque_box)
+        if (blur_g)
             ass_gaussian_blur(engine, bm_g, r2);
     }
 
@@ -74,7 +78,7 @@ void ass_synth_blur(const BitmapEngine *engine, int opaque_box, int be,
         size_t size_o = 0, size_g = 0;
         if (bm_o)
             size_o = sizeof(uint16_t) * bm_o->stride * 2;
-        if (!bm_o || opaque_box)
+        if (blur_g)
             size_g = sizeof(uint16_t) * bm_g->stride * 2;
         size_t size = FFMAX(size_o, size_g);
         uint16_t *tmp = size ? ass_aligned_alloc(32, size) : NULL;
@@ -99,7 +103,7 @@ void ass_synth_blur(const BitmapEngine *engine, int opaque_box, int be,
                 engine->be_blur(buf, w, h, stride, tmp);
             }
         }
-        if (!bm_o || opaque_box) {
+        if (blur_g) {
             unsigned passes = be;
             unsigned w = bm_g->w;
             unsigned h = bm_g->h;