renderer: fix incorrect deallocation

shift_event() can change "bitmap" field of ASS_Image struct
so direct deallocation is no longer possible.
This commit introduces additional field "buffer"
into ASS_ImagePriv for that purpose.

Fixes https://github.com/libass/libass/issues/310.

diff --git a/libass/ass_render.c b/libass/ass_render.c
index 0c4d20413c5119c0b47ce3fefea851fa3e0f79e3..45f3be69fd31ad20c0e387340a4b1c1103cec793 100644 (file)
--- a/libass/ass_render.c
+++ b/libass/ass_render.c
@@ -179,6 +179,7 @@ static ASS_Image *my_draw_bitmap(unsigned char *bitmap, int bitmap_w,
 
     img->source = source;
     ass_cache_inc_ref(source);
+    img->buffer = source ? NULL : bitmap;
     img->ref_count = 0;
 
     return &img->result;
@@ -754,8 +755,8 @@ static void blend_vector_clip(ASS_Renderer *render_priv, ASS_Image *head)
             cur->stride = ns;
         }
 
-        cur->bitmap = nbuffer;
         ASS_ImagePriv *priv = (ASS_ImagePriv *) cur;
+        priv->buffer = cur->bitmap = nbuffer;
         ass_cache_dec_ref(priv->source);
         priv->source = NULL;
     }
@@ -3138,10 +3139,8 @@ void ass_frame_unref(ASS_Image *img)
     do {
         ASS_ImagePriv *priv = (ASS_ImagePriv *) img;
         img = img->next;
-        if (priv->source)
-            ass_cache_dec_ref(priv->source);
-        else
-            ass_aligned_free(priv->result.bitmap);
+        ass_cache_dec_ref(priv->source);
+        ass_aligned_free(priv->buffer);
         free(priv);
     } while (img);
 }

diff --git a/libass/ass_render.h b/libass/ass_render.h
index e654a94d880639d933ce9aa19c34cea1418f6a54..4558575727105bb16dc8de04ce7b1e37bb48632a 100644 (file)
--- a/libass/ass_render.h
+++ b/libass/ass_render.h
@@ -52,6 +52,7 @@
 typedef struct {
     ASS_Image result;
     CompositeHashValue *source;
+    unsigned char *buffer;
     size_t ref_count;
 } ASS_ImagePriv;