From 85c8c6d7be14cc2602b92ec715834b9c1069a325 Mon Sep 17 00:00:00 2001 From: Oneric Date: Sat, 16 Apr 2022 00:10:11 +0200 Subject: parse: avoid UB on double to integer casts Casting floating point values to an integer type is undefined behaviour if it's not a regular number or the integral part cannot be represented in the integer type. This fixes issues found by UBSAN in libass' public OSS-Fuzz corpus where NAN ("be") or a too large value ("k") was casted to int. Sample IDs (one instance each there are duplicates): OSSFuzz-3617a28ea3900c2603059049ce4c70c01a535a3e OSSFuzz-292a3032ea273cc9dbaaa0a4291dd84e0cc07c65 --- libass/ass_parse.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libass/ass_parse.c b/libass/ass_parse.c index b566313..9dc59f3 100644 --- a/libass/ass_parse.c +++ b/libass/ass_parse.c @@ -768,10 +768,10 @@ char *parse_tags(ASS_Renderer *render_priv, char *p, char *end, double pwr, } else if (tag("be")) { double dval; if (nargs) { - int val; + int32_t val; dval = argtod(*args); // VSFilter always adds +0.5, even if the value is negative - val = (int) (render_priv->state.be * (1 - pwr) + dval * pwr + 0.5); + val = dtoi32(render_priv->state.be * (1 - pwr) + dval * pwr + 0.5); // Clamp to a safe upper limit, since high values need excessive CPU val = (val < 0) ? 0 : val; val = (val > MAX_BE) ? MAX_BE : val; @@ -816,7 +816,7 @@ char *parse_tags(ASS_Renderer *render_priv, char *p, char *end, double pwr, if (render_priv->state.effect_timing) render_priv->state.effect_skip_timing += render_priv->state.effect_timing; - render_priv->state.effect_timing = val * 10; + render_priv->state.effect_timing = dtoi32(val * 10); } else if (tag("shad")) { double val, xval, yval; if (nargs) { -- cgit v1.2.3