File libass-CVE-2016-7969.patch of Package libass

Overview Repositories Revisions Requests Users Attributes Meta

File libass-CVE-2016-7969.patch of Package libass

From f4f48950788b91c6a30029cc28a240b834713ea7 Mon Sep 17 00:00:00 2001
From: Grigori Goronzy <greg@chown.ath.cx>
Date: Tue, 4 Oct 2016 21:25:41 +0200
Subject: [PATCH] Fix line wrapping mode 0/3 bugs

This fixes two separate bugs:

a) Don't move a linebreak into the first symbol. This results in a empty
   line at the front, which does not help to equalize line lengths at all.
   Instead, merge line with the second one.
b) When moving a linebreak into a symbol that already is a break, the
   number of lines must be decremented. Otherwise, uninitialized memory
   is possibly used for later layout operations.

Found by fuzzer test case
id:000085,sig:11,src:003377+003350,op:splice,rep:8.

This might also affect and hopefully fix libass#229.

v2: change semantics according to review
---
 libass/ass_render.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libass/ass_render.c b/libass/ass_render.c
index 8790408..1d3c0c5 100644
--- a/libass/ass_render.c
+++ b/libass/ass_render.c
@@ -1608,7 +1608,10 @@ wrap_lines_smart(ASS_Renderer *render_priv, double max_text_width)
                         (w->bbox.xMin + w->pos.x));
 
                     if (DIFF(l1_new, l2_new) < DIFF(l1, l2)) {
-                        w->linebreak = 1;
+                        if (w->linebreak || w == text_info->glyphs)
+                            text_info->n_lines--;
+                        if (w != text_info->glyphs)
+                            w->linebreak = 1;
                         s2->linebreak = 0;
                         exit = 0;
                     }

Places

File libass-CVE-2016-7969.patch of Package libass

Places