From 04b51c2d70efda779adff96b4eea82c46682565b Mon Sep 17 00:00:00 2001
From: wm4 <wm4@nowhere>
Date: Mon, 3 Mar 2014 15:52:54 +0100
Subject: Don't crash on \fscx0

Freetype can return a bounding box with all fields set to INT_MIN if an
outline with all points set to 0 is used. This can happen e.g. with
\fscx0, but also in more complicated cases. (In the original crashing
sample, this was probably caused in combination with an embedded font.)

Such a bounding box causes libass to crash, because it will enlarge the
combined bitmap bounding box to a ridiculous size.

Just skip outlines that have en empty bounding box. This is probably
the correct thing to do, and won't pass INT_MAX down to other parts
of libass.
---
 libass/ass_bitmap.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'libass/ass_bitmap.c')

diff --git a/libass/ass_bitmap.c b/libass/ass_bitmap.c
index 144c8c0..98c8d74 100644
--- a/libass/ass_bitmap.c
+++ b/libass/ass_bitmap.c
@@ -166,6 +166,9 @@ Bitmap *outline_to_bitmap(ASS_Library *library, FT_Library ftlib,
     FT_Bitmap bitmap;
 
     FT_Outline_Get_CBox(outline, &bbox);
+    if (bbox.xMin == bbox.xMax || bbox.yMin == bbox.yMax)
+        return NULL;
+
     // move glyph to origin (0, 0)
     bbox.xMin &= ~63;
     bbox.yMin &= ~63;
-- 
cgit v1.2.3