X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fmovtextdec.c;h=c38c5edce67838f169bfcd1d79668c782980b893;hb=67cdfcf694f840d215be940f82545c45c9be193a;hp=89ac791602c65704fcf238a16d8bf0e19058f903;hpb=33bd2b99a1c2cf3fc8b810a11c6615a37d9f9cf4;p=ffmpeg

diff --git a/libavcodec/movtextdec.c b/libavcodec/movtextdec.c
index 89ac791602c..c38c5edce67 100644
--- a/libavcodec/movtextdec.c
+++ b/libavcodec/movtextdec.c
@@ -299,6 +299,14 @@ static int decode_styl(const uint8_t *tsmb, MovTextContext *m, AVPacket *avpkt)
         m->s_temp->style_start = AV_RB16(tsmb);
         tsmb += 2;
         m->s_temp->style_end = AV_RB16(tsmb);
+
+        if (   m->s_temp->style_end < m->s_temp->style_start
+            || (m->count_s && m->s_temp->style_start < m->s[m->count_s - 1]->style_end)) {
+            av_freep(&m->s_temp);
+            mov_text_cleanup(m);
+            return AVERROR(ENOMEM);
+        }
+
         tsmb += 2;
         m->s_temp->style_fontID = AV_RB16(tsmb);
         tsmb += 2;