From 7415cacb871fce6e81e847efa78d110aa2fae4fb Mon Sep 17 00:00:00 2001
From: Grigori Goronzy <greg@blackbox>
Date: Sun, 1 Aug 2010 22:23:25 +0200
Subject: Check vector clip mask bounding box size

Similar to regular glyphs, check the bounding box of the clip mask and
refrain from rendering humongous masks, which can take up considerably
memory.
---
 libass/ass_bitmap.c |  2 +-
 libass/ass_bitmap.h |  1 +
 libass/ass_render.c | 18 +++++++++++++-----
 3 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/libass/ass_bitmap.c b/libass/ass_bitmap.c
index 93f2aa8..9211a7c 100644
--- a/libass/ass_bitmap.c
+++ b/libass/ass_bitmap.c
@@ -165,7 +165,7 @@ static Bitmap *copy_bitmap(const Bitmap *src)
     return dst;
 }
 
-static int check_glyph_area(ASS_Library *library, FT_Glyph glyph)
+int check_glyph_area(ASS_Library *library, FT_Glyph glyph)
 {
     FT_BBox bbox;
     long long dx, dy;
diff --git a/libass/ass_bitmap.h b/libass/ass_bitmap.h
index 338db01..7a61118 100644
--- a/libass/ass_bitmap.h
+++ b/libass/ass_bitmap.h
@@ -53,5 +53,6 @@ int glyph_to_bitmap(ASS_Library *library, ASS_SynthPriv *priv_blur,
                     int border_style);
 
 void ass_free_bitmap(Bitmap *bm);
+int check_glyph_area(ASS_Library *library, FT_Glyph glyph);
 
 #endif                          /* LIBASS_BITMAP_H */
diff --git a/libass/ass_render.c b/libass/ass_render.c
index 663afe1..3e241c1 100644
--- a/libass/ass_render.c
+++ b/libass/ass_render.c
@@ -595,7 +595,7 @@ static void blend_vector_clip(ASS_Renderer *render_priv,
         if (!glyph) {
             ass_msg(render_priv->library, MSGL_WARN,
                     "Clip vector parsing failed. Skipping.");
-            goto blend_vector_exit;
+            goto blend_vector_error;
         }
 
         // We need to translate the clip according to screen borders
@@ -609,6 +609,13 @@ static void blend_vector_clip(ASS_Renderer *render_priv,
                                  trans.x, trans.y);
         }
 
+        // Check glyph bounding box size
+        if (check_glyph_area(render_priv->library, glyph)) {
+            FT_Done_Glyph(glyph);
+            glyph = 0;
+            goto blend_vector_error;
+        }
+
         ass_msg(render_priv->library, MSGL_DBG2,
                 "Parsed vector clip: scales (%f, %f) string [%s]\n",
                 drawing->scale_x, drawing->scale_y, drawing->text);
@@ -618,10 +625,11 @@ static void blend_vector_clip(ASS_Renderer *render_priv,
             ass_msg(render_priv->library, MSGL_WARN,
                 "Clip vector rasterization failed: %d. Skipping.", error);
             FT_Done_Glyph(glyph);
-            goto blend_vector_exit;
+            glyph = 0;
         }
+
+blend_vector_error:
         clip_bm = (FT_BitmapGlyph) glyph;
-        clip_bm->top = -clip_bm->top;
 
         // Add to cache
         memset(&v, 0, sizeof(v));
@@ -629,7 +637,7 @@ static void blend_vector_clip(ASS_Renderer *render_priv,
         cache_add_glyph(render_priv->cache.glyph_cache, &key, &v);
     }
 
-    assert(clip_bm->bitmap.pitch >= 0);
+    if (!clip_bm) goto blend_vector_exit;
 
     // Iterate through bitmaps and blend/clip them
     for (cur = head; cur; cur = cur->next) {
@@ -647,7 +655,7 @@ static void blend_vector_clip(ASS_Renderer *render_priv,
         ah = cur->h;
         as = cur->stride;
         bx = clip_bm->left;
-        by = clip_bm->top;
+        by = -clip_bm->top;
         bw = clip_bm->bitmap.width;
         bh = clip_bm->bitmap.rows;
         bs = clip_bm->bitmap.pitch;
-- 
cgit v1.2.3