Don't crash on \fscx0

Freetype can return a bounding box with all fields set to INT_MIN if an
outline with all points set to 0 is used. This can happen e.g. with
\fscx0, but also in more complicated cases. (In the original crashing
sample, this was probably caused in combination with an embedded font.)

Such a bounding box causes libass to crash, because it will enlarge the
combined bitmap bounding box to a ridiculous size.

Just skip outlines that have en empty bounding box. This is probably
the correct thing to do, and won't pass INT_MAX down to other parts
of libass.

diff --git a/libass/ass_bitmap.c b/libass/ass_bitmap.c
index 144c8c02636871872850c3b4d302865d5bae69e0..98c8d744357fdb582a0e9d2194fc161e2604577f 100644 (file)
--- a/libass/ass_bitmap.c
+++ b/libass/ass_bitmap.c
@@ -166,6 +166,9 @@ Bitmap *outline_to_bitmap(ASS_Library *library, FT_Library ftlib,
     FT_Bitmap bitmap;
 
     FT_Outline_Get_CBox(outline, &bbox);
+    if (bbox.xMin == bbox.xMax || bbox.yMin == bbox.yMax)
+        return NULL;
+
     // move glyph to origin (0, 0)
     bbox.xMin &= ~63;
     bbox.yMin &= ~63;