Fix cmd_pos bounds check to avoid the overflow case.

author Reimar Döffinger <Reimar.Doeffinger@gmx.de>

Sat, 15 Aug 2009 00:02:42 +0000 (00:02 +0000)

committer Reimar Döffinger <Reimar.Doeffinger@gmx.de>

Sat, 15 Aug 2009 00:02:42 +0000 (00:02 +0000)
author Reimar Döffinger <Reimar.Doeffinger@gmx.de>
Sat, 15 Aug 2009 00:02:42 +0000 (00:02 +0000)
committer Reimar Döffinger <Reimar.Doeffinger@gmx.de>
Sat, 15 Aug 2009 00:02:42 +0000 (00:02 +0000)
diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c

index a99b7af..b445d3e 100644 (file)
--- a/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@@ -191,7 +191,7 @@ static int decode_dvd_subtitles(AVSubtitle *sub_header,
  
      cmd_pos = READ_OFFSET(buf + cmd_pos);
  
-    while ((cmd_pos + 2 + offset_size) < buf_size) {
+    while (cmd_pos > 0 && cmd_pos < buf_size - 2 - offset_size) {
          date = AV_RB16(buf + cmd_pos);
          next_cmd_pos = READ_OFFSET(buf + cmd_pos + 2);
          dprintf(NULL, "cmd_pos=0x%04x next=0x%04x date=%d\n",
author	Reimar Döffinger <Reimar.Doeffinger@gmx.de>
	Sat, 15 Aug 2009 00:02:42 +0000 (00:02 +0000)
committer	Reimar Döffinger <Reimar.Doeffinger@gmx.de>
	Sat, 15 Aug 2009 00:02:42 +0000 (00:02 +0000)