41 lines
1.4 KiB
Diff
41 lines
1.4 KiB
Diff
From 017137471d0043e0321e377ed8da48e45a3ec632 Mon Sep 17 00:00:00 2001
|
|
From: Oleg Oshmyan <chortos@inbox.lv>
|
|
Date: Tue, 27 Oct 2020 15:46:04 +0200
|
|
Subject: [PATCH] decode_font: fix subtraction broken by change to unsigned
|
|
type
|
|
|
|
This caused a one-byte buffer overwrite and an assertion failure.
|
|
|
|
Regression in commit 910211f1c0078e37546f73e95306724358b89be2.
|
|
|
|
Discovered by OSS-Fuzz.
|
|
|
|
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26674.
|
|
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26678.
|
|
---
|
|
libass/ass.c | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/libass/ass.c b/libass/ass.c
|
|
index 428a332ff..5be09a7cf 100644
|
|
--- a/libass/ass.c
|
|
+++ b/libass/ass.c
|
|
@@ -857,7 +857,7 @@ static int decode_font(ASS_Track *track)
|
|
ass_msg(track->library, MSGL_ERR, "Bad encoded data size");
|
|
goto error_decode_font;
|
|
}
|
|
- buf = malloc(size / 4 * 3 + FFMAX(size % 4 - 1, 0));
|
|
+ buf = malloc(size / 4 * 3 + FFMAX(size % 4, 1) - 1);
|
|
if (!buf)
|
|
goto error_decode_font;
|
|
q = buf;
|
|
@@ -871,7 +871,7 @@ static int decode_font(ASS_Track *track)
|
|
q = decode_chars(p, q, 3);
|
|
}
|
|
dsize = q - buf;
|
|
- assert(dsize == size / 4 * 3 + FFMAX(size % 4 - 1, 0));
|
|
+ assert(dsize == size / 4 * 3 + FFMAX(size % 4, 1) - 1);
|
|
|
|
if (track->library->extract_fonts) {
|
|
ass_add_font(track->library, track->parser_priv->fontname,
|