Merge commit '8629149816930a43bf5a66b11c6224446cabd044'

[ffmpeg] / libavcodec / movtextdec.c

diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c
index 89ac791602c65704fcf238a16d8bf0e19058f903..c38c5edce67838f169bfcd1d79668c782980b893 100644 (file)
--- a/libavcodec/movtextdec.c
+++ b/libavcodec/movtextdec.c
@@ -299,6 +299,14 @@ static int decode_styl(const uint8_t *tsmb, MovTextContext *m, AVPacket *avpkt)
         m->s_temp->style_start = AV_RB16(tsmb);
         tsmb += 2;
         m->s_temp->style_end = AV_RB16(tsmb);
+
+        if (   m->s_temp->style_end < m->s_temp->style_start
+            || (m->count_s && m->s_temp->style_start < m->s[m->count_s - 1]->style_end)) {
+            av_freep(&m->s_temp);
+            mov_text_cleanup(m);
+            return AVERROR(ENOMEM);
+        }
+
         tsmb += 2;
         m->s_temp->style_fontID = AV_RB16(tsmb);
         tsmb += 2;