From 5c30ae1a09b66179e16694f6137658023ed1fef3 Mon Sep 17 00:00:00 2001
From: Luca Barbato <lu_zero@gentoo.org>
Date: Wed, 11 Nov 2015 20:08:29 +0100
Subject: dvdsubdec: Validate the RLE offsets

CC: libav-stable@libav.org
---
 libavcodec/dvdsubdec.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'libavcodec/dvdsubdec.c')

diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c
index 15c49c40b6..da1a83f812 100644
--- a/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@@ -178,13 +178,14 @@ static void guess_palette(DVDSubContext* ctx,
 static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header,
                                 const uint8_t *buf, int buf_size)
 {
-    int cmd_pos, pos, cmd, x1, y1, x2, y2, offset1, offset2, next_cmd_pos;
+    int cmd_pos, pos, cmd, x1, y1, x2, y2, next_cmd_pos;
     int big_offsets, offset_size, is_8bit = 0;
     const uint8_t *yuv_palette = 0;
     uint8_t colormap[4] = { 0 }, alpha[256] = { 0 };
     int date;
     int i;
     int is_menu = 0;
+    int64_t offset1, offset2;
 
     if (buf_size < 10)
         return -1;
@@ -302,6 +303,9 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header,
             }
         }
     the_end:
+        if (offset1 >= buf_size || offset2 >= buf_size)
+            goto fail;
+
         if (offset1 >= 0) {
             int w, h;
             uint8_t *bitmap;
-- 
cgit v1.2.3