svcdsub: Fix potential buffer overrun

https://hackerone.com/reports/504722

Signed-off-by: Hugo Beauzée-Luyssen <hugo@beauzee.fr>

modules/codec/svcdsub.c

@@ -366,17 +366,29 @@ static void ParseHeader( decoder_t *p_dec, block_t *p_block )
 {
     decoder_sys_t *p_sys = p_dec->p_sys;
     uint8_t *p = p_block->p_buffer;
+    size_t i_buffer = p_block->i_buffer;
     uint8_t i_options, i_cmd;
     int i;
 
+    if (i_buffer < 4) return;
+
     p_sys->i_spu_size = GETINT16(p);
     i_options  = *p++;
     // Skip over unused value
     p++;
 
-    if( i_options & 0x08 ) { p_sys->i_duration = FROM_SCALE_NZ(GetDWBE(p)); p += 4; }
+    i_buffer -= 4;
+
+    if( i_options & 0x08 ) {
+      if (i_buffer < 4) return;
+      p_sys->i_duration = FROM_SCALE_NZ(GetDWBE(p));
+      p += 4;
+      i_buffer -= 4;
+    }
     else p_sys->i_duration = 0; /* Ephemer subtitle */
 
+    if (i_buffer < 25) return;
+
     p_sys->i_x_start = GETINT16(p);
     p_sys->i_y_start = GETINT16(p);
     p_sys->i_width   = GETINT16(p);
@@ -391,12 +403,21 @@ static void ParseHeader( decoder_t *p_dec, block_t *p_block )
     }
 
     i_cmd = *p++;
+
+    i_buffer -= 25;
+
     /* We do not really know this, FIXME */
-    if( i_cmd ) { p += 4; }
+    if( i_cmd ) {
+      if (i_buffer < 4) return;
+      p += 4;
+      i_buffer -= 4;
+    }
 
     /* Actually, this is measured against a different origin, so we have to
      * adjust it */
+    if (i_buffer < 2) return;
     p_sys->second_field_offset = GETINT16(p);
+    i_buffer -= 2;
     p_sys->i_image_offset  = p - p_block->p_buffer;
     p_sys->i_image_length  = p_sys->i_spu_size - p_sys->i_image_offset;
     p_sys->metadata_length = p_sys->i_image_offset;