Fix read after the end of allocated buffer.
authoreugeni <eugeni@b3059339-0415-0410-9bf9-f77b7e298cf2>
Sat, 18 Jul 2009 11:32:58 +0000 (11:32 +0000)
committereugeni <eugeni@b3059339-0415-0410-9bf9-f77b7e298cf2>
Sat, 18 Jul 2009 11:32:58 +0000 (11:32 +0000)
git-svn-id: svn://git.mplayerhq.hu/mplayer/trunk@29423 b3059339-0415-0410-9bf9-f77b7e298cf2

libass/ass.h
libass/ass_render.c

index e98b426..12f16fe 100644 (file)
@@ -34,6 +34,8 @@ typedef struct ass_image_s {
        int w, h; // bitmap width/height
        int stride; // bitmap stride
        unsigned char* bitmap; // 1bpp stride*h alpha buffer
+                              // Actual bitmap size may be as low as
+                              // stride * (h-1) + w
        uint32_t color; // RGBA
        int dst_x, dst_y; // bitmap placement inside the video frame
 
index f13f766..ae54a0f 100644 (file)
@@ -408,6 +408,21 @@ static ass_image_t** render_glyph(bitmap_t* bm, int dst_x, int dst_y, uint32_t c
 }
 
 /**
+ * \brief Replaces the bitmap buffer in ass_image_t with its copy.
+ *
+ * @param img Image to operate on.
+ * @return Address of the old buffer.
+ */
+static unsigned char* clone_bitmap_data(ass_image_t* img)
+{
+       unsigned char* old_bitmap = img->bitmap;
+       int size = img->stride * (img->h - 1) + img->w;
+       img->bitmap = malloc(size);
+       memcpy(img->bitmap, old_bitmap, size);
+       return old_bitmap;
+}
+
+/**
  * \brief Calculate overlapping area of two consecutive bitmaps and in case they
  * overlap, composite them together
  * Mainly useful for translucent glyphs and especially borders, to avoid the
@@ -474,12 +489,8 @@ static void render_overlap(ass_image_t** last_tail, ass_image_t** tail, bitmap_h
        }
 
        // Allocate new bitmaps and copy over data
-       a = (*last_tail)->bitmap;
-       b = (*tail)->bitmap;
-       (*last_tail)->bitmap = malloc(as*ah);
-       (*tail)->bitmap = malloc(bs*bh);
-       memcpy((*last_tail)->bitmap, a, as*ah);
-       memcpy((*tail)->bitmap, b, bs*bh);
+       a = clone_bitmap_data(*last_tail);
+       b = clone_bitmap_data(*tail);
 
        // Composite overlapping area
        for (y=0; y<h; y++)