Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP4:Update
libass
libass-CVE-2020-26682.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File libass-CVE-2020-26682.patch of Package libass
Index: libass-0.14.0/libass/ass_outline.c =================================================================== --- libass-0.14.0.orig/libass/ass_outline.c 2017-10-31 13:14:11.000000000 +0100 +++ libass-0.14.0/libass/ass_outline.c 2021-03-16 09:14:17.114485654 +0100 @@ -47,6 +47,11 @@ static void outline_clear(ASS_Outline *o outline->n_segments = outline->max_segments = 0; } +static bool valid_point(const FT_Vector *pt) +{ + return abs(pt->x) <= OUTLINE_MAX && abs(pt->y) <= OUTLINE_MAX; +} + bool outline_convert(ASS_Outline *outline, const FT_Outline *source) { if (!source || !source->n_points) { @@ -77,12 +82,16 @@ bool outline_convert(ASS_Outline *outlin continue; } + if (!valid_point(source->points + j)) + goto fail; switch (FT_CURVE_TAG(source->tags[j])) { case FT_CURVE_TAG_ON: st = S_ON; break; case FT_CURVE_TAG_CONIC: + if (!valid_point(source->points + last)) + goto fail; pt.x = source->points[last].x; pt.y = -source->points[last].y; switch (FT_CURVE_TAG(source->tags[last])) { @@ -110,6 +119,8 @@ bool outline_convert(ASS_Outline *outlin outline->points[outline->n_points++] = pt; for (j++; j <= last; j++) { + if (!valid_point(source->points + j)) + goto fail; switch (FT_CURVE_TAG(source->tags[j])) { case FT_CURVE_TAG_ON: switch (st) { @@ -236,6 +247,9 @@ void outline_free(ASS_Outline *outline) */ bool outline_add_point(ASS_Outline *outline, ASS_Vector pt, char segment) { + if(abs(pt.x) > OUTLINE_MAX || abs(pt.y) > OUTLINE_MAX) + return false; + if (outline->n_points >= outline->max_points) { size_t new_size = 2 * outline->max_points; if (!ASS_REALLOC_ARRAY(outline->points, new_size)) @@ -1303,7 +1317,7 @@ bool outline_stroke(ASS_Outline *result, { const int dir = 3; int rad = FFMAX(xbord, ybord); - assert(rad >= eps); + assert(rad >= eps && rad <= OUTLINE_MAX); result->n_points = result->n_segments = 0; result1->n_points = result1->n_segments = 0; @@ -1329,12 +1343,10 @@ bool outline_stroke(ASS_Outline *result, str.err_c = 390 * rel_err * rel_err; str.err_a = e; - for (size_t i = 0; i < path->n_points; i++) { - if (path->points[i].x < OUTLINE_MIN || path->points[i].x > OUTLINE_MAX) - return false; - if (path->points[i].y < OUTLINE_MIN || path->points[i].y > OUTLINE_MAX) - return false; - } +#ifndef NDEBUG + for (size_t i = 0; i < path->n_points; i++) + assert(abs(path->points[i].x) <= OUTLINE_MAX && abs(path->points[i].y) <= OUTLINE_MAX); +#endif ASS_Vector *start = path->points, *cur = start; for (size_t i = 0; i < path->n_segments; i++) { Index: libass-0.14.0/libass/ass_outline.h =================================================================== --- libass-0.14.0.orig/libass/ass_outline.h 2017-10-31 13:14:11.000000000 +0100 +++ libass-0.14.0/libass/ass_outline.h 2021-03-16 09:14:17.114485654 +0100 @@ -83,8 +83,9 @@ typedef struct { char *segments; } ASS_Outline; -#define OUTLINE_MIN (-((int32_t) 1 << 28)) +// ouline point coordinates should always be in [-OUTLINE_MAX, +OUTLINE_MAX] range #define OUTLINE_MAX (((int32_t) 1 << 28) - 1) +// cubic spline splitting requires 8 * OUTLINE_MAX + 4 <= INT32_MAX bool outline_alloc(ASS_Outline *outline, size_t n_points, size_t n_segments); bool outline_convert(ASS_Outline *outline, const FT_Outline *source); Index: libass-0.14.0/libass/ass_rasterizer.c =================================================================== --- libass-0.14.0.orig/libass/ass_rasterizer.c 2017-10-31 13:14:11.000000000 +0100 +++ libass-0.14.0/libass/ass_rasterizer.c 2021-03-16 09:14:17.114485654 +0100 @@ -269,12 +269,10 @@ bool rasterizer_set_outline(RasterizerDa } rst->size[0] = rst->n_first; - for (size_t i = 0; i < path->n_points; i++) { - if (path->points[i].x < OUTLINE_MIN || path->points[i].x > OUTLINE_MAX) - return false; - if (path->points[i].y < OUTLINE_MIN || path->points[i].y > OUTLINE_MAX) - return false; - } +#ifndef NDEBUG + for (size_t i = 0; i < path->n_points; i++) + assert(abs(path->points[i].x) <= OUTLINE_MAX && abs(path->points[i].y) <= OUTLINE_MAX); +#endif ASS_Vector *start = path->points, *cur = start; for (size_t i = 0; i < path->n_segments; i++) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor