# HG changeset patch
# User reimar
# Date 1250294562 0
# Node ID a1b42791b13df4681ce626f219dfdf9365dd943c
# Parent  88dcf5f43a9c65ab2bfc6d280d31f3f02a72a9f7
Fix cmd_pos bounds check to avoid the overflow case.

diff -r 88dcf5f43a9c -r a1b42791b13d dvdsubdec.c
--- a/dvdsubdec.c	Fri Aug 14 16:41:21 2009 +0000
+++ b/dvdsubdec.c	Sat Aug 15 00:02:42 2009 +0000
@@ -191,7 +191,7 @@
 
     cmd_pos = READ_OFFSET(buf + cmd_pos);
 
-    while ((cmd_pos + 2 + offset_size) < buf_size) {
+    while (cmd_pos > 0 && cmd_pos < buf_size - 2 - offset_size) {
         date = AV_RB16(buf + cmd_pos);
         next_cmd_pos = READ_OFFSET(buf + cmd_pos + 2);
         dprintf(NULL, "cmd_pos=0x%04x next=0x%04x date=%d\n",