From 60226124ec367c2549e4bf1e6174dfb8eca5a63d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Tue, 13 Jun 2023 14:23:47 +0300
Subject: [PATCH] dvdspu: Make sure enough data is allocated for the available
 data

If the size read from the stream is smaller than the currently available
data then the size is bogus and the data should simply be discarded.

Fixes ZDI-CAN-20994
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2660

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4899>
---
 subprojects/gst-plugins-bad/gst/dvdspu/gstspu-pgs.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/subprojects/gst-plugins-bad/gst/dvdspu/gstspu-pgs.c b/subprojects/gst-plugins-bad/gst/dvdspu/gstspu-pgs.c
index 6108de07c2..391bb630f5 100644
--- a/subprojects/gst-plugins-bad/gst/dvdspu/gstspu-pgs.c
+++ b/subprojects/gst-plugins-bad/gst/dvdspu/gstspu-pgs.c
@@ -593,6 +593,9 @@ parse_set_object_data (GstDVDSpu * dvdspu, guint8 type, guint8 * payload,
     obj->rle_data_size = GST_READ_UINT24_BE (payload);
     payload += 3;
 
+    if (end - payload > obj->rle_data_size)
+      return 0;
+
     PGS_DUMP ("%d bytes of RLE data, of %d bytes total.\n",
         (int) (end - payload), obj->rle_data_size);