From 26855a4ad9e74449a80ac1acb99b605ff745eda3 Mon Sep 17 00:00:00 2001
From: Oneric <oneric@oneric.stub>
Date: Sun, 11 Oct 2020 16:31:20 +0200
Subject: API: make ass_alloc_{style,event} alloc-fail safe

Also deal with potential overflows of style and event count.
Since these fields are ints part ofthe public API, but will be cast to
size_t in ASS_REALLOC_ARRAY use the smaller of both limits.
---
 libass/ass.c | 26 ++++++++++++++------------
 libass/ass.h |  4 ++--
 2 files changed, 16 insertions(+), 14 deletions(-)

(limited to 'libass')

diff --git a/libass/ass.c b/libass/ass.c
index 137b8ae..638d86c 100644
--- a/libass/ass.c
+++ b/libass/ass.c
@@ -96,7 +96,7 @@ void ass_free_track(ASS_Track *track)
 
 /// \brief Allocate a new style struct
 /// \param track track
-/// \return style id
+/// \return style id or negative value on failure
 int ass_alloc_style(ASS_Track *track)
 {
     int sid;
@@ -104,11 +104,12 @@ int ass_alloc_style(ASS_Track *track)
     assert(track->n_styles <= track->max_styles);
 
     if (track->n_styles == track->max_styles) {
-        track->max_styles += ASS_STYLES_ALLOC;
-        track->styles =
-            (ASS_Style *) realloc(track->styles,
-                                  sizeof(ASS_Style) *
-                                  track->max_styles);
+        if (track->max_styles >= FFMIN(SIZE_MAX, INT_MAX) - ASS_STYLES_ALLOC)
+            return -1;
+        int new_max = track->max_styles + ASS_STYLES_ALLOC;
+        if (!ASS_REALLOC_ARRAY(track->styles, new_max))
+            return -1;
+        track->max_styles = new_max;
     }
 
     sid = track->n_styles++;
@@ -118,7 +119,7 @@ int ass_alloc_style(ASS_Track *track)
 
 /// \brief Allocate a new event struct
 /// \param track track
-/// \return event id
+/// \return event id or negative value on failure
 int ass_alloc_event(ASS_Track *track)
 {
     int eid;
@@ -126,11 +127,12 @@ int ass_alloc_event(ASS_Track *track)
     assert(track->n_events <= track->max_events);
 
     if (track->n_events == track->max_events) {
-        track->max_events = track->max_events * 2 + 1;
-        track->events =
-            (ASS_Event *) realloc(track->events,
-                                  sizeof(ASS_Event) *
-                                  track->max_events);
+        if (track->max_events >= FFMIN(SIZE_MAX, INT_MAX) / 2)
+            return -1;
+        int new_max = track->max_events * 2 + 1;
+        if (!ASS_REALLOC_ARRAY(track->events, new_max))
+            return -1;
+        track->max_events = new_max;
     }
 
     eid = track->n_events++;
diff --git a/libass/ass.h b/libass/ass.h
index 582af83..bd787f2 100644
--- a/libass/ass.h
+++ b/libass/ass.h
@@ -580,14 +580,14 @@ void ass_free_track(ASS_Track *track);
 /**
  * \brief Allocate new style.
  * \param track track
- * \return newly allocated style id
+ * \return newly allocated style id >= 0, or a value < 0 on failure
  */
 int ass_alloc_style(ASS_Track *track);
 
 /**
  * \brief Allocate new event.
  * \param track track
- * \return newly allocated event id
+ * \return newly allocated event id >= 0, or a value < 0 on failure
  */
 int ass_alloc_event(ASS_Track *track);
 
-- 
cgit v1.2.3