ass_bitmap: fix potential NULL deref

Another consequence of the trickiness in this code. This codepath for
opaque_box=1 assumes both bm_o and bm_g are set, but if memory
allocation fails somewhere, bm_o could be non-NULL, but bm_g NULL, which
then would result in a crash when accessing bm_g.

Possibly this code could be cleaned up to look much nicer (and not have
dozens of hidden, obscure bugs), but for now this fixes the potential
crash found by Coverity.

Fixes CID 146125.

diff --git a/libass/ass_bitmap.c b/libass/ass_bitmap.c
index 230c49efabffc222ad6b81094bd1c1f1e738efac..f2480c87231e05baed38c0971f3dfe87690510d1 100644 (file)
--- a/libass/ass_bitmap.c
+++ b/libass/ass_bitmap.c
@@ -60,12 +60,16 @@
 void ass_synth_blur(const BitmapEngine *engine, int opaque_box, int be,
                     double blur_radius, Bitmap *bm_g, Bitmap *bm_o)
 {
+    bool blur_g = !bm_o || opaque_box;
+    if (blur_g && !bm_g)
+        return;
+
     // Apply gaussian blur
     double r2 = blur_radius * blur_radius / log(256);
     if (r2 > 0.001) {
         if (bm_o)
             ass_gaussian_blur(engine, bm_o, r2);
-        if (!bm_o || opaque_box)
+        if (blur_g)
             ass_gaussian_blur(engine, bm_g, r2);
     }
 
@@ -74,7 +78,7 @@ void ass_synth_blur(const BitmapEngine *engine, int opaque_box, int be,
         size_t size_o = 0, size_g = 0;
         if (bm_o)
             size_o = sizeof(uint16_t) * bm_o->stride * 2;
-        if (!bm_o || opaque_box)
+        if (blur_g)
             size_g = sizeof(uint16_t) * bm_g->stride * 2;
         size_t size = FFMAX(size_o, size_g);
         uint16_t *tmp = size ? ass_aligned_alloc(32, size) : NULL;
@@ -99,7 +103,7 @@ void ass_synth_blur(const BitmapEngine *engine, int opaque_box, int be,
                 engine->be_blur(buf, w, h, stride, tmp);
             }
         }
-        if (!bm_o || opaque_box) {
+        if (blur_g) {
             unsigned passes = be;
             unsigned w = bm_g->w;
             unsigned h = bm_g->h;