From 373cb020aa96bf487d19ea3483db85fa22855ad0 Mon Sep 17 00:00:00 2001 From: wm4 Date: Mon, 7 Sep 2015 12:43:40 +0200 Subject: [PATCH] ass_render: fix potential NULL deref The logic here is pretty complicated. The caller of this function guards it with "if(info->bm || info->bm_o){", and generally indeed only one of them is set. But in some cases, both are needed. fix_outline() definitely dereferences both. This is not necessarily guaranteed, e.g. on out of memory errors. Add the missing checks. Fixes CID 146125. --- libass/ass_render.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libass/ass_render.c b/libass/ass_render.c index 5bc98d1..88ab734 100644 --- a/libass/ass_render.c +++ b/libass/ass_render.c @@ -1785,7 +1785,7 @@ static int is_new_bm_run(GlyphInfo *info, GlyphInfo *last) static void make_shadow_bitmap(CombinedBitmapInfo *info, ASS_Renderer *render_priv) { if (!(info->filter.flags & FILTER_NONZERO_SHADOW)) { - if (info->bm_o && !(info->filter.flags & FILTER_BORDER_STYLE_3)) { + if (info->bm && info->bm_o && !(info->filter.flags & FILTER_BORDER_STYLE_3)) { fix_outline(info->bm, info->bm_o); } else if (info->bm_o && !(info->filter.flags & FILTER_NONZERO_BORDER)) { ass_free_bitmap(info->bm_o); @@ -1795,7 +1795,7 @@ static void make_shadow_bitmap(CombinedBitmapInfo *info, ASS_Renderer *render_pr } // Create shadow and fix outline as needed - if (info->bm_o && !(info->filter.flags & FILTER_BORDER_STYLE_3)) { + if (info->bm && info->bm_o && !(info->filter.flags & FILTER_BORDER_STYLE_3)) { info->bm_s = copy_bitmap(render_priv->engine, info->bm_o); fix_outline(info->bm, info->bm_o); } else if (info->bm_o && (info->filter.flags & FILTER_NONZERO_BORDER)) { -- 2.40.0