--- gst-plugins-bad1.0-1.18.4.orig/gst/dvdspu/gstspu-pgs.c
+++ gst-plugins-bad1.0-1.18.4/gst/dvdspu/gstspu-pgs.c
@@ -593,6 +593,9 @@ parse_set_object_data (GstDVDSpu * dvdsp
     obj->rle_data_size = GST_READ_UINT24_BE (payload);
     payload += 3;
 
+    if (end - payload > obj->rle_data_size)
+      return 0;
+
     PGS_DUMP ("%d bytes of RLE data, of %d bytes total.\n",
         (int) (end - payload), obj->rle_data_size);
 
@@ -604,7 +607,8 @@ parse_set_object_data (GstDVDSpu * dvdsp
     PGS_DUMP ("%d bytes of additional RLE data\n", (int) (end - payload));
     /* Check that the data chunk is for this object version, and fits in the buffer */
     if (obj->rle_data_ver == obj_ver &&
-        obj->rle_data_used + end - payload <= obj->rle_data_size) {
+        end - payload <= obj->rle_data_size &&
+        obj->rle_data_used <= obj->rle_data_size - (end - payload)) {
 
       memcpy (obj->rle_data + obj->rle_data_used, payload, end - payload);
       obj->rle_data_used += end - payload;