Skip to content
Permalink
Browse files Browse the repository at this point in the history
decode_font: fix subtraction broken by change to unsigned type
This caused a one-byte buffer overwrite and an assertion failure.

Regression in commit 910211f.

Discovered by OSS-Fuzz.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26674.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26678.
  • Loading branch information
astiob committed Oct 27, 2020
1 parent d149636 commit 0171374
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions libass/ass.c
Expand Up @@ -857,7 +857,7 @@ static int decode_font(ASS_Track *track)
ass_msg(track->library, MSGL_ERR, "Bad encoded data size");
goto error_decode_font;
}
buf = malloc(size / 4 * 3 + FFMAX(size % 4 - 1, 0));
buf = malloc(size / 4 * 3 + FFMAX(size % 4, 1) - 1);
if (!buf)
goto error_decode_font;
q = buf;
Expand All @@ -871,7 +871,7 @@ static int decode_font(ASS_Track *track)
q = decode_chars(p, q, 3);
}
dsize = q - buf;
assert(dsize == size / 4 * 3 + FFMAX(size % 4 - 1, 0));
assert(dsize == size / 4 * 3 + FFMAX(size % 4, 1) - 1);

if (track->library->extract_fonts) {
ass_add_font(track->library, track->parser_priv->fontname,
Expand Down

0 comments on commit 0171374

Please sign in to comment.