From ffbe087b589506cb0e671fa711e5c2c6ea203ac0 Mon Sep 17 00:00:00 2001
From: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
Date: Sat, 15 Aug 2009 00:02:42 +0000
Subject: Fix cmd_pos bounds check to avoid the overflow case.

Originally committed as revision 19640 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavcodec/dvdsubdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'libavcodec/dvdsubdec.c')

diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c
index a99b7af858..b445d3e456 100644
--- a/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@@ -191,7 +191,7 @@ static int decode_dvd_subtitles(AVSubtitle *sub_header,
 
     cmd_pos = READ_OFFSET(buf + cmd_pos);
 
-    while ((cmd_pos + 2 + offset_size) < buf_size) {
+    while (cmd_pos > 0 && cmd_pos < buf_size - 2 - offset_size) {
         date = AV_RB16(buf + cmd_pos);
         next_cmd_pos = READ_OFFSET(buf + cmd_pos + 2);
         dprintf(NULL, "cmd_pos=0x%04x next=0x%04x date=%d\n",
-- 
cgit v1.2.3