Merge commit '5c30ae1a09b66179e16694f6137658023ed1fef3'

* commit '5c30ae1a09b66179e16694f6137658023ed1fef3':
  dvdsubdec: Validate the RLE offsets

  Conflicts:
      libavcodec/dvdsubdec.c

Merged-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>

diff --cc libavcodec/dvdsubdec.c
index 014b0a3a8341d2804912847e3ca10327a566b06e,da1a83f8129fe114a34a745cb94f950ebf7159c3..fe938591ef94db2f37adc2255768bb6f88da0ea2
--- 1/libavcodec/dvdsubdec.c
--- 2/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@@@ -220,14 -178,14 +220,15 @@@ static void reset_rects(AVSubtitle *sub
  static int decode_dvd_subtitles(DVDSubContext *ctx, AVSubtitle *sub_header,
                                  const uint8_t *buf, int buf_size)
  {
-     int cmd_pos, pos, cmd, x1, y1, x2, y2, offset1, offset2, next_cmd_pos;
+     int cmd_pos, pos, cmd, x1, y1, x2, y2, next_cmd_pos;
      int big_offsets, offset_size, is_8bit = 0;
 -    const uint8_t *yuv_palette = 0;
 -    uint8_t colormap[4] = { 0 }, alpha[256] = { 0 };
 +    const uint8_t *yuv_palette = NULL;
 +    uint8_t *colormap = ctx->colormap, *alpha = ctx->alpha;
      int date;
      int i;
      int is_menu = 0;
 +    uint32_t size;
+     int64_t offset1, offset2;
  
      if (buf_size < 10)
          return -1;
@@@ -353,7 -303,10 +354,10 @@@
              }
          }
      the_end:
 -        if (offset1 >= 0) {
+         if (offset1 >= buf_size || offset2 >= buf_size)
+             goto fail;
+ 
 +        if (offset1 >= 0 && offset2 >= 0) {
              int w, h;
              uint8_t *bitmap;