Index: libs/libavcodec/dvbsubdec.c
===================================================================
--- libs/libavcodec/dvbsubdec.c	(revision 9788)
+++ libs/libavcodec/dvbsubdec.c	(working copy)
@@ -765,7 +765,7 @@
         y_pos++;
 
     while (buf < buf_end) {
-        if (x_pos >= region->width || y_pos >= region->height) {
+        if (x_pos > region->width || y_pos > region->height) {
             av_log(avctx, AV_LOG_ERROR, "Invalid object location!\n");
             return;
         }
@@ -779,6 +779,11 @@
             else
                 map_table = NULL;
 
+            if (y_pos >= region->height) {
+                av_log(avctx, AV_LOG_ERROR, "Invalid y position!\n");
+                return;
+            }
+
             x_pos += dvbsub_read_2bit_string(pbuf + (y_pos * region->width) + x_pos,
                                                 region->width - x_pos, &buf, buf_size,
                                                 non_mod, map_table);
@@ -794,6 +799,11 @@
             else
                 map_table = NULL;
 
+            if (y_pos >= region->height) {
+                av_log(avctx, AV_LOG_ERROR, "Invalid y position!\n");
+                return;
+            }
+
             x_pos += dvbsub_read_4bit_string(pbuf + (y_pos * region->width) + x_pos,
                                                 region->width - x_pos, &buf, buf_size,
                                                 non_mod, map_table);
@@ -804,6 +814,11 @@
                 return;
             }
 
+            if (y_pos >= region->height) {
+                av_log(avctx, AV_LOG_ERROR, "Invalid y position!\n");
+                return;
+            }
+
             x_pos += dvbsub_read_8bit_string(pbuf + (y_pos * region->width) + x_pos,
                                                 region->width - x_pos, &buf, buf_size,
                                                 non_mod, NULL);