Headline
CVE-2020-36430: decode_font: fix subtraction broken by change to unsigned type · libass/libass@0171374
libass 0.15.x before 0.15.1 has a heap-based buffer overflow in decode_chars (called from decode_font and process_text) because the wrong integer data type is used for subtraction.
@@ -857,7 +857,7 @@ static int decode_font(ASS_Track *track) ass_msg(track->library, MSGL_ERR, “Bad encoded data size”); goto error_decode_font; } buf = malloc(size / 4 * 3 + FFMAX(size % 4 - 1, 0)); buf = malloc(size / 4 * 3 + FFMAX(size % 4, 1) - 1); if (!buf) goto error_decode_font; q = buf; @@ -871,7 +871,7 @@ static int decode_font(ASS_Track *track) q = decode_chars(p, q, 3); } dsize = q - buf; assert(dsize == size / 4 * 3 + FFMAX(size % 4 - 1, 0)); assert(dsize == size / 4 * 3 + FFMAX(size % 4, 1) - 1);
if (track->library->extract_fonts) { ass_add_font(track->library, track->parser_priv->fontname,
Related news
Gentoo Linux Security Advisory 202208-13 - A vulnerability in libass could result in denial of service. Versions less than 0.15.1 are affected.