Fix read after the end of allocated buffer.

git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@29423 b3059339-0415-0410-9bf9-f77b7e298cf2

libass/ass.h

@@ -34,6 +34,8 @@ typedef struct ass_image_s {
 	int w, h; // bitmap width/height
 	int stride; // bitmap stride
 	unsigned char* bitmap; // 1bpp stride*h alpha buffer
+	                       // Actual bitmap size may be as low as
+	                       // stride * (h-1) + w
 	uint32_t color; // RGBA
 	int dst_x, dst_y; // bitmap placement inside the video frame
 

libass/ass_render.c

@@ -407,6 +407,21 @@ static ass_image_t** render_glyph(bitmap_t* bm, int dst_x, int dst_y, uint32_t c
 	return tail;
 }
 
+/**
+ * \brief Replaces the bitmap buffer in ass_image_t with its copy.
+ *
+ * @param img Image to operate on.
+ * @return Address of the old buffer.
+ */
+static unsigned char* clone_bitmap_data(ass_image_t* img)
+{
+	unsigned char* old_bitmap = img->bitmap;
+	int size = img->stride * (img->h - 1) + img->w;
+	img->bitmap = malloc(size);
+	memcpy(img->bitmap, old_bitmap, size);
+	return old_bitmap;
+}
+
 /**
  * \brief Calculate overlapping area of two consecutive bitmaps and in case they
  * overlap, composite them together
@@ -474,12 +489,8 @@ static void render_overlap(ass_image_t** last_tail, ass_image_t** tail, bitmap_h
 	}
 
 	// Allocate new bitmaps and copy over data
-	a = (*last_tail)->bitmap;
-	b = (*tail)->bitmap;
-	(*last_tail)->bitmap = malloc(as*ah);
-	(*tail)->bitmap = malloc(bs*bh);
-	memcpy((*last_tail)->bitmap, a, as*ah);
-	memcpy((*tail)->bitmap, b, bs*bh);
+	a = clone_bitmap_data(*last_tail);
+	b = clone_bitmap_data(*tail);
 
 	// Composite overlapping area
 	for (y=0; y<h; y++)