From 334e84893da668b353ae139858a263d65f4f788e Mon Sep 17 00:00:00 2001 From: wm4 Date: Mon, 7 Sep 2015 13:43:00 +0200 Subject: ass_bitmap: fix potential NULL deref Another consequence of the trickiness in this code. This codepath for opaque_box=1 assumes both bm_o and bm_g are set, but if memory allocation fails somewhere, bm_o could be non-NULL, but bm_g NULL, which then would result in a crash when accessing bm_g. Possibly this code could be cleaned up to look much nicer (and not have dozens of hidden, obscure bugs), but for now this fixes the potential crash found by Coverity. Fixes CID 146125. --- libass/ass_bitmap.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'libass') diff --git a/libass/ass_bitmap.c b/libass/ass_bitmap.c index 230c49e..f2480c8 100644 --- a/libass/ass_bitmap.c +++ b/libass/ass_bitmap.c @@ -60,12 +60,16 @@ void ass_synth_blur(const BitmapEngine *engine, int opaque_box, int be, double blur_radius, Bitmap *bm_g, Bitmap *bm_o) { + bool blur_g = !bm_o || opaque_box; + if (blur_g && !bm_g) + return; + // Apply gaussian blur double r2 = blur_radius * blur_radius / log(256); if (r2 > 0.001) { if (bm_o) ass_gaussian_blur(engine, bm_o, r2); - if (!bm_o || opaque_box) + if (blur_g) ass_gaussian_blur(engine, bm_g, r2); } @@ -74,7 +78,7 @@ void ass_synth_blur(const BitmapEngine *engine, int opaque_box, int be, size_t size_o = 0, size_g = 0; if (bm_o) size_o = sizeof(uint16_t) * bm_o->stride * 2; - if (!bm_o || opaque_box) + if (blur_g) size_g = sizeof(uint16_t) * bm_g->stride * 2; size_t size = FFMAX(size_o, size_g); uint16_t *tmp = size ? ass_aligned_alloc(32, size) : NULL; @@ -99,7 +103,7 @@ void ass_synth_blur(const BitmapEngine *engine, int opaque_box, int be, engine->be_blur(buf, w, h, stride, tmp); } } - if (!bm_o || opaque_box) { + if (blur_g) { unsigned passes = be; unsigned w = bm_g->w; unsigned h = bm_g->h; -- cgit v1.2.3