From 81c1657a593b1c0f8e46fca00ead1d30ee1cd418 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sat, 2 Aug 2014 01:15:37 +0200
Subject: [PATCH] avcodec/dvdsub_parser: Check buf_size before reading 32bit
 packet size

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/dvdsub_parser.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavcodec/dvdsub_parser.c b/libavcodec/dvdsub_parser.c
index 9a6457e8b41..07ed4f72fc8 100644
--- a/libavcodec/dvdsub_parser.c
+++ b/libavcodec/dvdsub_parser.c
@@ -45,8 +45,9 @@ static int dvdsub_parse(AVCodecParserContext *s,
     DVDSubParseContext *pc = s->priv_data;
 
     if (pc->packet_index == 0) {
-        if (buf_size < 2)
+        if (buf_size < 2 || AV_RB16(buf) && buf_size < 6) {
             return buf_size;
+        }
         pc->packet_len = AV_RB16(buf);
         if (pc->packet_len == 0) /* HD-DVD subpicture packet */
             pc->packet_len = AV_RB32(buf+2);
-- 
GitLab