From 8c3a0610fd146ee923d1cf8feab5810a85f35bad Mon Sep 17 00:00:00 2001
From: Gustavo Pichorim Boiko <gustavo.boiko@canonical.com>
Date: Wed, 21 Sep 2022 05:30:44 +0300
Subject: [PATCH] SF #11 Caption is not checking for bounds of class and c2
 correctly

This fixes some array bounds checks that were off by one in the
xds_separator function in caption.c. If class == 4 or c2 == 24 then the
xds_sub_packet "sp" would be set from memory outside the cc->sub_packet
array.

Closes Github issue #16
---
 src/caption.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/caption.c b/src/caption.c
index 0c59023..004280c 100644
--- a/src/caption.c
+++ b/src/caption.c
@@ -610,8 +610,8 @@ xds_separator(vbi_decoder *vbi, uint8_t *buf)
 	case 1 ... 14:
 		class = (c1 - 1) >> 1;
 
-		if (class > elements(cc->sub_packet)
-		    || c2 > (int) elements(cc->sub_packet[0])) {
+		if (class >= elements(cc->sub_packet)
+		    || c2 >= (int) elements(cc->sub_packet[0])) {
 			XDS_SEP_DEBUG(printf("XDS ignore packet %d/0x%02x\n", class, c2));
 			cc->curr_sp = NULL;
 			return;