X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fdvbsubdec.c;h=6e7e13b6eb2b3c7eba991be308c0b52a16a33232;hb=e786e37326d4274c1dfbc37a6478680684c779c9;hp=b59e8366570ee92c6dd27a4b3ab0a14aacf0e775;hpb=06476249cd2332e30b66576633b2827adf3478dd;p=ffmpeg

diff --git a/libavcodec/dvbsubdec.c b/libavcodec/dvbsubdec.c
index b59e8366570..6e7e13b6eb2 100644
--- a/libavcodec/dvbsubdec.c
+++ b/libavcodec/dvbsubdec.c
@@ -1267,6 +1267,13 @@ static int dvbsub_parse_region_segment(AVCodecContext *avctx,
         display->y_pos = AV_RB16(buf) & 0xfff;
         buf += 2;
 
+        if (display->x_pos >= region->width ||
+            display->y_pos >= region->height) {
+            av_log(avctx, AV_LOG_ERROR, "Object outside region\n");
+            av_free(display);
+            return AVERROR_INVALIDDATA;
+        }
+
         if ((object->type == 1 || object->type == 2) && buf+1 < buf_end) {
             display->fgcolor = *buf++;
             display->bgcolor = *buf++;
@@ -1571,8 +1578,9 @@ static int dvbsub_parse_display_definition_segment(AVCodecContext *avctx,
     display_def->width   = bytestream_get_be16(&buf) + 1;
     display_def->height  = bytestream_get_be16(&buf) + 1;
     if (!avctx->width || !avctx->height) {
-        avctx->width  = display_def->width;
-        avctx->height = display_def->height;
+        int ret = ff_set_dimensions(avctx, display_def->width, display_def->height);
+        if (ret < 0)
+            return ret;
     }
 
     if (info_byte & 1<<3) { // display_window_flag