[FFmpeg-cvslog] lzo: Handle integer overflow
Luca Barbato
git at videolan.org
Mon Jul 14 22:35:46 CEST 2014
ffmpeg | branch: release/2.2 | Luca Barbato <lu_zero at gentoo.org> | Thu Jun 19 23:26:58 2014 +0200| [6d899d0206e91a3a74680b47ec06ef1dbc151c21] | committer: Luca Barbato
lzo: Handle integer overflow
get_len can overflow for specially crafted payload.
Reported-By: Don A. Baley <donb at securitymouse.com>
CC: libav-stable at libav.org
(cherry picked from commit ccda51b14c0fcae2fad73a24872dce75a7964996)
Signed-off-by: Luca Barbato <lu_zero at gentoo.org>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=6d899d0206e91a3a74680b47ec06ef1dbc151c21
---
libavutil/lzo.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/libavutil/lzo.c b/libavutil/lzo.c
index 5c5ebc8..e458165 100644
--- a/libavutil/lzo.c
+++ b/libavutil/lzo.c
@@ -80,6 +80,10 @@ static inline void copy(LZOContext *c, int cnt)
{
register const uint8_t *src = c->in;
register uint8_t *dst = c->out;
+ if (cnt < 0) {
+ c->error |= AV_LZO_ERROR;
+ return;
+ }
if (cnt > c->in_end - src) {
cnt = FFMAX(c->in_end - src, 0);
c->error |= AV_LZO_INPUT_DEPLETED;
@@ -103,7 +107,7 @@ static inline void copy(LZOContext *c, int cnt)
/**
* @brief Copies previously decoded bytes to current position.
* @param back how many bytes back we start
- * @param cnt number of bytes to copy, must be >= 0
+ * @param cnt number of bytes to copy, must be > 0
*
* cnt > back is valid, this will copy the bytes we just copied,
* thus creating a repeating pattern with a period length of back.
@@ -111,6 +115,10 @@ static inline void copy(LZOContext *c, int cnt)
static inline void copy_backptr(LZOContext *c, int back, int cnt)
{
register uint8_t *dst = c->out;
+ if (cnt <= 0) {
+ c->error |= AV_LZO_ERROR;
+ return;
+ }
if (dst - c->out_start < back) {
c->error |= AV_LZO_INVALID_BACKPTR;
return;
More information about the ffmpeg-cvslog
mailing list