Fix read after the end of allocated buffer.

git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@29423 b3059339-0415-0410-9bf9-f77b7e298cf2

2 files changed, 19 insertions, 6 deletions

diff --git a/libass/ass.h b/libass/ass.h
index e98b4264b7..12f16fef5d 100644
--- a/libass/ass.h
+++ b/libass/ass.h
@@ -34,6 +34,8 @@ typedef struct ass_image_s {
 	int w, h; // bitmap width/height
 	int stride; // bitmap stride
 	unsigned char* bitmap; // 1bpp stride*h alpha buffer
+	                       // Actual bitmap size may be as low as
+	                       // stride * (h-1) + w
 	uint32_t color; // RGBA
 	int dst_x, dst_y; // bitmap placement inside the video frame
 
diff --git a/libass/ass_render.c b/libass/ass_render.c
index f13f76661e..ae54a0f1bc 100644
--- a/libass/ass_render.c
+++ b/libass/ass_render.c
@@ -408,6 +408,21 @@ static ass_image_t** render_glyph(bitmap_t* bm, int dst_x, int dst_y, uint32_t c
 }
 
 /**
+ * \brief Replaces the bitmap buffer in ass_image_t with its copy.
+ *
+ * @param img Image to operate on.
+ * @return Address of the old buffer.
+ */
+static unsigned char* clone_bitmap_data(ass_image_t* img)
+{
+	unsigned char* old_bitmap = img->bitmap;
+	int size = img->stride * (img->h - 1) + img->w;
+	img->bitmap = malloc(size);
+	memcpy(img->bitmap, old_bitmap, size);
+	return old_bitmap;
+}
+
+/**
  * \brief Calculate overlapping area of two consecutive bitmaps and in case they
  * overlap, composite them together
  * Mainly useful for translucent glyphs and especially borders, to avoid the
@@ -474,12 +489,8 @@ static void render_overlap(ass_image_t** last_tail, ass_image_t** tail, bitmap_h
 	}
 
 	// Allocate new bitmaps and copy over data
-	a = (*last_tail)->bitmap;
-	b = (*tail)->bitmap;
-	(*last_tail)->bitmap = malloc(as*ah);
-	(*tail)->bitmap = malloc(bs*bh);
-	memcpy((*last_tail)->bitmap, a, as*ah);
-	memcpy((*tail)->bitmap, b, bs*bh);
+	a = clone_bitmap_data(*last_tail);
+	b = clone_bitmap_data(*tail);
 
 	// Composite overlapping area
 	for (y=0; y<h; y++)