From ccda51b14c0fcae2fad73a24872dce75a7964996 Mon Sep 17 00:00:00 2001
From: Luca Barbato <lu_zero@gentoo.org>
Date: Thu, 19 Jun 2014 23:26:58 +0200
Subject: lzo: Handle integer overflow

get_len can overflow for specially crafted payload.

Reported-By: Don A. Baley <donb@securitymouse.com>
CC: libav-stable@libav.org
---
 libavutil/lzo.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'libavutil/lzo.c')

diff --git a/libavutil/lzo.c b/libavutil/lzo.c
index 5c5ebc850a..e458165261 100644
--- a/libavutil/lzo.c
+++ b/libavutil/lzo.c
@@ -80,6 +80,10 @@ static inline void copy(LZOContext *c, int cnt)
 {
     register const uint8_t *src = c->in;
     register uint8_t *dst       = c->out;
+    if (cnt < 0) {
+        c->error |= AV_LZO_ERROR;
+        return;
+    }
     if (cnt > c->in_end - src) {
         cnt       = FFMAX(c->in_end - src, 0);
         c->error |= AV_LZO_INPUT_DEPLETED;
@@ -103,7 +107,7 @@ static inline void copy(LZOContext *c, int cnt)
 /**
  * @brief Copies previously decoded bytes to current position.
  * @param back how many bytes back we start
- * @param cnt number of bytes to copy, must be >= 0
+ * @param cnt number of bytes to copy, must be > 0
  *
  * cnt > back is valid, this will copy the bytes we just copied,
  * thus creating a repeating pattern with a period length of back.
@@ -111,6 +115,10 @@ static inline void copy(LZOContext *c, int cnt)
 static inline void copy_backptr(LZOContext *c, int back, int cnt)
 {
     register uint8_t *dst       = c->out;
+    if (cnt <= 0) {
+        c->error |= AV_LZO_ERROR;
+        return;
+    }
     if (dst - c->out_start < back) {
         c->error |= AV_LZO_INVALID_BACKPTR;
         return;
-- 
cgit v1.2.3