From 65207f1ce43242c4ec004b92fee4aef16b4c31ec Mon Sep 17 00:00:00 2001
From: wm4 <wm4@nowhere>
Date: Fri, 14 Nov 2014 20:19:34 +0100
Subject: Check some allocations in strike-through code

---
 libass/ass_font.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/libass/ass_font.c b/libass/ass_font.c
index 6e2f400..69675c6 100644
--- a/libass/ass_font.c
+++ b/libass/ass_font.c
@@ -345,12 +345,17 @@ static int ass_strike_outline_glyph(FT_Face face, ASS_Font *font,
 
     // Grow outline
     i = (under ? 4 : 0) + (through ? 4 : 0);
-    ol->points = realloc(ol->points, sizeof(FT_Vector) *
-                         (ol->n_points + i));
-    ol->tags = realloc(ol->tags, ol->n_points + i);
+    if (ol->n_points > SHRT_MAX - i)
+        return 0;
+    if (!ASS_REALLOC_ARRAY(ol->points, ol->n_points + i))
+        return 0;
+    if (!ASS_REALLOC_ARRAY(ol->tags, ol->n_points + i))
+        return 0;
     i = !!under + !!through;
-    ol->contours = realloc(ol->contours, sizeof(short) *
-                           (ol->n_contours + i));
+    if (ol->n_contours > SHRT_MAX - i)
+        return 0;
+    if (!ASS_REALLOC_ARRAY(ol->contours, ol->n_contours + i))
+        return 0;
 
     // If the bearing is negative, the glyph starts left of the current
     // pen position
-- 
cgit v1.2.3