# HG changeset patch
# User reimar
# Date 1351808313 0
# Node ID 036f417248841ffa2ae31d3ec08f6059e115804a
# Parent  42613bcd1bfe7763736f09bda2970898d690cacb
Use AV_RB32 to avoid sign extension issues and validate offset before using it.

diff -r 42613bcd1bfe -r 036f41724884 sub/vobsub.c
--- a/sub/vobsub.c	Thu Nov 01 22:13:14 2012 +0000
+++ b/sub/vobsub.c	Thu Nov 01 22:18:33 2012 +0000
@@ -40,6 +40,7 @@
 #include "path.h"
 #include "unrar_exec.h"
 #include "libavutil/common.h"
+#include "libavutil/intreadwrite.h"
 
 // Record the original -vobsubid set by commandline, since vobsub_id will be
 // overridden if slang match any of vobsub streams.
@@ -837,8 +838,7 @@
         } else if (memcmp(block, ifo_magic, strlen(ifo_magic) + 1))
             mp_msg(MSGT_VOBSUB, MSGL_ERR, "VobSub: Bad magic in IFO header\n");
         else {
-            unsigned pgci_sector = block[0xcc] << 24 | block[0xcd] << 16
-                | block[0xce] << 8 | block[0xcf];
+            unsigned pgci_sector = AV_RB32(block + 0xcc);
             int standard = (block[0x200] & 0x30) >> 4;
             int resolution = (block[0x201] & 0x0c) >> 2;
             *height = standard ? 576 : 480;
@@ -871,11 +871,11 @@
                 mp_msg(MSGT_VOBSUB, MSGL_ERR, "VobSub: Can't read IFO PGCI\n");
             else {
                 unsigned idx;
-                unsigned pgc_offset = block[0xc] << 24 | block[0xd] << 16
-                    | block[0xe] << 8 | block[0xf];
+                unsigned pgc_offset = AV_RB32(block + 0xc);
+                pgc_offset = FFMIN(pgc_offset, sizeof(block) - 0xa4 - 4*16);
                 for (idx = 0; idx < 16; ++idx) {
                     unsigned char *p = block + pgc_offset + 0xa4 + 4 * idx;
-                    palette[idx] = p[0] << 24 | p[1] << 16 | p[2] << 8 | p[3];
+                    palette[idx] = AV_RB32(p);
                 }
                 if (vob)
                     vob->have_palette = 1;