diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c index 15c49c40b6..da1a83f812 100644 --- a/libavcodec/dvdsubdec.c +++ b/libavcodec/dvdsubdec.c @@ -178,13 +178,14 @@ static void guess_palette(DVDSubContext* ctx, static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header, const uint8_t *buf, int buf_size) { - int cmd_pos, pos, cmd, x1, y1, x2, y2, offset1, offset2, next_cmd_pos; + int cmd_pos, pos, cmd, x1, y1, x2, y2, next_cmd_pos; int big_offsets, offset_size, is_8bit = 0; const uint8_t *yuv_palette = 0; uint8_t colormap[4] = { 0 }, alpha[256] = { 0 }; int date; int i; int is_menu = 0; + int64_t offset1, offset2; if (buf_size < 10) return -1; @@ -302,6 +303,9 @@ static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header, } } the_end: + if (offset1 >= buf_size || offset2 >= buf_size) + goto fail; + if (offset1 >= 0) { int w, h; uint8_t *bitmap;