From c8d18c6674ff270339b168f1ce43aa95ab988e48 Mon Sep 17 00:00:00 2001
From: Moritz Bunkus <moritz@bunkus.org>
Date: Thu, 16 Jul 2009 21:05:24 +0200
Subject: [PATCH] Do not try to access beyound the end of the buffer.

---
 ChangeLog              | 3 +++
 src/input/r_vobsub.cpp | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 2afe00d40..1e4e77d0b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
 2009-07-16  Moritz Bunkus  <moritz@bunkus.org>
 
+	* mkvmerge: bug fix: Fixed an invalid memory access in the VobSub
+	reader module.
+
 	* mmg: bug fix: Tracks added from Matroska files did not get their
 	'default track' drop down box set correctly if the flag was 'off'
 	in the source file and no other track of its kind hat its 'default
diff --git a/src/input/r_vobsub.cpp b/src/input/r_vobsub.cpp
index 9eec95a2d..15afde4d0 100644
--- a/src/input/r_vobsub.cpp
+++ b/src/input/r_vobsub.cpp
@@ -332,8 +332,8 @@ vobsub_reader_c::deliver_packet(unsigned char *buf,
     duration = default_duration;
     mxverb(2, boost::format("vobsub_reader: Could not extract the duration for a SPU packet (timecode: %1%).") % format_timecode(timecode, 3));
 
-    uint32_t dcsq  = buf[2]        << 8 | buf[3];
-    uint32_t dcsq2 = buf[dcsq + 2] << 8 | buf[dcsq + 3];
+    int dcsq  =                   get_uint16_be(&buf[2]);
+    int dcsq2 = dcsq + 3 < size ? get_uint16_be(&buf[dcsq + 2]) : -1;
 
     // Some players ignore sub-pictures if there is no stop display command.
     // Add a stop display command only if 1 command chain exists and the hack is enabled.