diff options
| author | Oneric <oneric@oneric.stub> | 2022-04-24 23:35:08 +0200 |
|---|---|---|
| committer | Oneric <oneric@oneric.stub> | 2022-05-01 01:08:11 +0200 |
| commit | 8e80f49ba70d6f16d8f244a7f41dfeee98d416df (patch) | |
| tree | 2590e77c2a4e9a04417632d76de6e08830d8b5db /libass | |
| parent | 410f2527bdc5a58491ee38180ceb0e8215f79544 (diff) | |
| download | libass-8e80f49ba70d6f16d8f244a7f41dfeee98d416df.tar.bz2 libass-8e80f49ba70d6f16d8f244a7f41dfeee98d416df.tar.xz | |
render: avoid crash on negative Fontsize
Unlike for some other Style fields, VSFilters (and libass) do not clamp
negative Fontsize values to zero. Instead the value remains negative
throughout parsing and in rendering something close to the absolute
value is used. It is not exactly the absolute value, but a bit more than
it and the difference is larger than what would expected from different
rounding modes. I'm not sure when this reinterpretation of negative
values takes place. It's possible this happens not in VSFilters but GDI.
With \fs commands it is not possible to directly specify negative
fontsizes as \fs- and \fs+ already have a special different effect
altering the fontsize in relation to the current one (and here negative
values are discarded).
Apart from the VSFilter incompatibility, negative Fontsizes also crash
libass either by failing an assert or if those are disabled by a
stack-overflow. To fix the crashes and come closer to VSFilter take the
absolute value of the fontsize after all parsing is done. We cannot take
the absolute value earlier, because tags like \fs- and \fs+ need to work
with the original negative value to achieve VSFilter-like results.
The crashes were initially discovered by AFL++.
Samples:
assert-fail_id:000000,sig:06,src:000002,time:929185,execs:48480,op:arith8,pos:343,val:-4
fuzzer_w3:id:000248,sig:06,src:000288,time:2365972,execs:107653,op:havoc,rep:8
Fixes https://github.com/libass/libass/issues/610
Diffstat (limited to 'libass')
| -rw-r--r-- | libass/ass_render.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/libass/ass_render.c b/libass/ass_render.c index b0accb7..a8be31b 100644 --- a/libass/ass_render.c +++ b/libass/ass_render.c @@ -1991,7 +1991,7 @@ static bool parse_events(ASS_Renderer *render_priv, ASS_Event *event) info->effect_timing = render_priv->state.effect_timing; info->effect_skip_timing = render_priv->state.effect_skip_timing; info->font_size = - render_priv->state.font_size * render_priv->font_scale; + fabs(render_priv->state.font_size * render_priv->font_scale); info->be = render_priv->state.be; info->blur = render_priv->state.blur; info->shadow_x = render_priv->state.shadow_x; |