From 2fe3ce09af3a4e399f3758fe15fc946c0fa5ef50 Mon Sep 17 00:00:00 2001
From: wm4 <wm4@nowhere>
Date: Fri, 14 Nov 2014 01:45:09 +0100
Subject: Fix the bug

Commit 8536eaa was slightly broken: for some incomprehensible reason,
(w + 1) memory instead of w is needed. The missing space could lead to
memory corruption and crashes.
---
 libass/ass_bitmap.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'libass')

diff --git a/libass/ass_bitmap.c b/libass/ass_bitmap.c
index 2955b9f..aadce59 100644
--- a/libass/ass_bitmap.c
+++ b/libass/ass_bitmap.c
@@ -124,9 +124,9 @@ static bool generate_tables(ASS_SynthPriv *priv, double radius)
 
 static bool resize_tmp(ASS_SynthPriv *priv, int w, int h)
 {
-    if (w > SIZE_MAX / sizeof(unsigned) / h)
+    if ((w - 1) > SIZE_MAX / sizeof(unsigned) / h)
         return false;
-    size_t needed = sizeof(unsigned) * w * h;
+    size_t needed = sizeof(unsigned) * (w + 1) * h;
     if (priv->tmp && priv->tmp_allocated >= needed)
         return true;
     if (needed >= SIZE_MAX / 2)
-- 
cgit v1.2.3