From 4666444955b5c8ee8b1bce8e514a33b2b0dd44d4 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Thu, 1 Nov 2018 19:19:03 +0200
Subject: [PATCH] video-anc: Fix bounds checks when parsing VBI data

We were reading more bytes than we allocated.

https://bugzilla.gnome.org/show_bug.cgi?id=797363
---
 gst-libs/gst/video/video-anc.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/gst-libs/gst/video/video-anc.c b/gst-libs/gst/video/video-anc.c
index f3ae278..d0919bb 100644
--- a/gst-libs/gst/video/video-anc.c
+++ b/gst-libs/gst/video/video-anc.c
@@ -95,7 +95,7 @@ get_ancillary_16 (GstVideoVBIParser * parser, GstVideoAncillary * anc)
   g_return_val_if_fail (parser != NULL, GST_VIDEO_VBI_PARSER_RESULT_ERROR);
   g_return_val_if_fail (anc != NULL, GST_VIDEO_VBI_PARSER_RESULT_ERROR);
 
-  while (parser->offset < parser->work_data_size + SMALLEST_ANC_SIZE) {
+  while (parser->offset + SMALLEST_ANC_SIZE < parser->work_data_size) {
     guint8 DID, SDID, DC;
     guint i;
 
@@ -116,7 +116,7 @@ get_ancillary_16 (GstVideoVBIParser * parser, GstVideoAncillary * anc)
     SDID = data[parser->offset + 4] & 0xff;
     DC = data[parser->offset + 5] & 0xff;
     /* Check if we have enough room to get the User Data */
-    if (parser->offset >= parser->work_data_size + SMALLEST_ANC_SIZE + DC)
+    if (parser->offset + SMALLEST_ANC_SIZE + DC >= parser->work_data_size)
       goto not_enough_data;
 
     /* We found a valid ANC \o/ */
@@ -155,7 +155,7 @@ get_ancillary_8 (GstVideoVBIParser * parser, GstVideoAncillary * anc)
   g_return_val_if_fail (parser != NULL, GST_VIDEO_VBI_PARSER_RESULT_ERROR);
   g_return_val_if_fail (anc != NULL, GST_VIDEO_VBI_PARSER_RESULT_ERROR);
 
-  while (parser->offset < parser->work_data_size + SMALLEST_ANC_SIZE) {
+  while (parser->offset + SMALLEST_ANC_SIZE < parser->work_data_size) {
     guint8 DID, SDID, DC;
     guint i;
 
@@ -171,7 +171,7 @@ get_ancillary_8 (GstVideoVBIParser * parser, GstVideoAncillary * anc)
     SDID = data[parser->offset + 4];
     DC = data[parser->offset + 5];
     /* Check if we have enough room to get the User Data */
-    if (parser->offset >= parser->work_data_size + SMALLEST_ANC_SIZE + DC)
+    if (parser->offset + SMALLEST_ANC_SIZE + DC >= parser->work_data_size)
       goto not_enough_data;
 
     /* We found a valid ANC \o/ */
-- 
2.7.4