From 28ee420508b3fcfc0c9ba5166ee3365e364be531 Mon Sep 17 00:00:00 2001
From: wm4 <wm4@nowhere>
Date: Mon, 31 Aug 2015 12:15:01 +0200
Subject: fontselect: add bounds checking for memory font stream reads

---
 libass/ass_fontselect.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libass/ass_fontselect.c b/libass/ass_fontselect.c
index dc143c4..02d0bc4 100644
--- a/libass/ass_fontselect.c
+++ b/libass/ass_fontselect.c
@@ -145,6 +145,12 @@ get_data_embedded(void *data, unsigned char *buf, size_t offset, size_t len)
     if (buf == NULL)
         return fd[i].size;
 
+    if (offset >= fd[i].size)
+        return 0;
+
+    if (len > fd[i].size - offset)
+        len = fd[i].size - offset;
+
     memcpy(buf, fd[i].data + offset, len);
     return len;
 }
-- 
cgit v1.2.3