Revision 493aa30a libavcodec/dvbsubdec.c

View differences:

libavcodec/dvbsubdec.c
1423 1423

  
1424 1424
#endif
1425 1425

  
1426
    if (buf_size <= 2 || *buf != 0x0f)
1426
    if (buf_size <= 6 || *buf != 0x0f) {
1427
        av_dlog(avctx, "incomplete or broken packet");
1427 1428
        return -1;
1429
    }
1428 1430

  
1429 1431
    p = buf;
1430 1432
    p_end = buf + buf_size;
1431 1433

  
1432
    while (p < p_end && *p == 0x0f) {
1434
    while (p_end - p >= 6 && *p == 0x0f) {
1433 1435
        p += 1;
1434 1436
        segment_type = *p++;
1435 1437
        page_id = AV_RB16(p);
......
1437 1439
        segment_length = AV_RB16(p);
1438 1440
        p += 2;
1439 1441

  
1442
        if (p_end - p < segment_length) {
1443
            av_dlog(avctx, "incomplete or broken packet");
1444
            return -1;
1445
        }
1446

  
1440 1447
        if (page_id == ctx->composition_id || page_id == ctx->ancillary_id ||
1441 1448
            ctx->composition_id == -1 || ctx->ancillary_id == -1) {
1442 1449
            switch (segment_type) {

Also available in: Unified diff