avcodec/movtextdec: Fix potential integer overflow
authorMichael Niedermayer <michael@niedermayer.cc>
Tue, 15 Nov 2016 13:46:16 +0000 (14:46 +0100)
committerMichael Niedermayer <michael@niedermayer.cc>
Thu, 17 Nov 2016 11:47:40 +0000 (12:47 +0100)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6ea27157682200e5f78cadcabdb009eccd9dd9b1)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/movtextdec.c

index a33fff7..923e582 100644 (file)
@@ -485,7 +485,7 @@ static int mov_text_decode_frame(AVCodecContext *avctx,
                 m->size_var = 8;
             //size_var is equal to 8 or 16 depending on the size of box
 
-            if (m->tracksize + tsmb_size > avpkt->size)
+            if (tsmb_size > avpkt->size - m->tracksize)
                 break;
 
             for (size_t i = 0; i < box_count; i++) {