lzo: Handle integer overflow

get_len can overflow for specially crafted payload. Reported-By: Don A. Baley <donb@securitymouse.com> CC: libav-stable@libav.org

lzo: Handle integer overflow
get_len can overflow for specially crafted payload. Reported-By: Don A. Baley <donb@securitymouse.com> CC: libav-stable@libav.org
ccda51b1 · Luca Barbato · e121ac63 · ccda51b1
Commit ccda51b1 authored Jun 19, 2014 by Luca Barbato
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 1 deletion

lzo.c libavutil/lzo.c +9 -1

No files found.
--- a/libavutil/lzo.c
+++ b/libavutil/lzo.c
@@ -80,6 +80,10 @@ static inline void copy(LZOContext *c, int cnt)
 {
    register const uint8_t *src = c->in;
    register uint8_t *dst       = c->out;
+    if (cnt < 0) {
+        c->error |= AV_LZO_ERROR;
+        return;
+    }
    if (cnt > c->in_end - src) {
        cnt       = FFMAX(c->in_end - src, 0);
        c->error |= AV_LZO_INPUT_DEPLETED;
@@ -103,7 +107,7 @@ static inline void copy(LZOContext *c, int cnt)
 /**
 * @brief Copies previously decoded bytes to current position.
 * @param back how many bytes back we start
- * @param cnt number of bytes to copy, must be >= 0
+ * @param cnt number of bytes to copy, must be > 0
 *
 * cnt > back is valid, this will copy the bytes we just copied,
 * thus creating a repeating pattern with a period length of back.
@@ -111,6 +115,10 @@ static inline void copy(LZOContext *c, int cnt)
 static inline void copy_backptr(LZOContext *c, int back, int cnt)
 {
    register uint8_t *dst       = c->out;
+    if (cnt <= 0) {
+        c->error |= AV_LZO_ERROR;
+        return;
+    }
    if (dst - c->out_start < back) {
        c->error |= AV_LZO_INVALID_BACKPTR;
        return;