From 5f3cf0a7d7ae7ab883d0611e85c06354f1e94907 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= Date: Tue, 13 Jun 2023 14:25:04 +0300 Subject: [PATCH] dvdspu: Avoid integer overflow when checking if enough data is available Part-of: --- subprojects/gst-plugins-bad/gst/dvdspu/gstspu-pgs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/subprojects/gst-plugins-bad/gst/dvdspu/gstspu-pgs.c b/subprojects/gst-plugins-bad/gst/dvdspu/gstspu-pgs.c index 391bb630f5..df0b8e2cbe 100644 --- a/subprojects/gst-plugins-bad/gst/dvdspu/gstspu-pgs.c +++ b/subprojects/gst-plugins-bad/gst/dvdspu/gstspu-pgs.c @@ -607,7 +607,8 @@ parse_set_object_data (GstDVDSpu * dvdspu, guint8 type, guint8 * payload, PGS_DUMP ("%d bytes of additional RLE data\n", (int) (end - payload)); /* Check that the data chunk is for this object version, and fits in the buffer */ if (obj->rle_data_ver == obj_ver && - obj->rle_data_used + end - payload <= obj->rle_data_size) { + end - payload <= obj->rle_data_size && + obj->rle_data_used <= obj->rle_data_size - (end - payload)) { memcpy (obj->rle_data + obj->rle_data_used, payload, end - payload); obj->rle_data_used += end - payload;