From: wm4 Date: Mon, 7 Sep 2015 11:43:00 +0000 (+0200) Subject: ass_bitmap: fix potential NULL deref X-Git-Tag: 0.13.0~20 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=334e84893da668b353ae139858a263d65f4f788e;p=libass ass_bitmap: fix potential NULL deref Another consequence of the trickiness in this code. This codepath for opaque_box=1 assumes both bm_o and bm_g are set, but if memory allocation fails somewhere, bm_o could be non-NULL, but bm_g NULL, which then would result in a crash when accessing bm_g. Possibly this code could be cleaned up to look much nicer (and not have dozens of hidden, obscure bugs), but for now this fixes the potential crash found by Coverity. Fixes CID 146125. --- diff --git a/libass/ass_bitmap.c b/libass/ass_bitmap.c index 230c49e..f2480c8 100644 --- a/libass/ass_bitmap.c +++ b/libass/ass_bitmap.c @@ -60,12 +60,16 @@ void ass_synth_blur(const BitmapEngine *engine, int opaque_box, int be, double blur_radius, Bitmap *bm_g, Bitmap *bm_o) { + bool blur_g = !bm_o || opaque_box; + if (blur_g && !bm_g) + return; + // Apply gaussian blur double r2 = blur_radius * blur_radius / log(256); if (r2 > 0.001) { if (bm_o) ass_gaussian_blur(engine, bm_o, r2); - if (!bm_o || opaque_box) + if (blur_g) ass_gaussian_blur(engine, bm_g, r2); } @@ -74,7 +78,7 @@ void ass_synth_blur(const BitmapEngine *engine, int opaque_box, int be, size_t size_o = 0, size_g = 0; if (bm_o) size_o = sizeof(uint16_t) * bm_o->stride * 2; - if (!bm_o || opaque_box) + if (blur_g) size_g = sizeof(uint16_t) * bm_g->stride * 2; size_t size = FFMAX(size_o, size_g); uint16_t *tmp = size ? ass_aligned_alloc(32, size) : NULL; @@ -99,7 +103,7 @@ void ass_synth_blur(const BitmapEngine *engine, int opaque_box, int be, engine->be_blur(buf, w, h, stride, tmp); } } - if (!bm_o || opaque_box) { + if (blur_g) { unsigned passes = be; unsigned w = bm_g->w; unsigned h = bm_g->h;