Commit ccda51b1 authored by Luca Barbato's avatar Luca Barbato

lzo: Handle integer overflow

get_len can overflow for specially crafted payload.
Reported-By: 's avatarDon A. Baley <donb@securitymouse.com>
CC: libav-stable@libav.org
parent e121ac63
...@@ -80,6 +80,10 @@ static inline void copy(LZOContext *c, int cnt) ...@@ -80,6 +80,10 @@ static inline void copy(LZOContext *c, int cnt)
{ {
register const uint8_t *src = c->in; register const uint8_t *src = c->in;
register uint8_t *dst = c->out; register uint8_t *dst = c->out;
if (cnt < 0) {
c->error |= AV_LZO_ERROR;
return;
}
if (cnt > c->in_end - src) { if (cnt > c->in_end - src) {
cnt = FFMAX(c->in_end - src, 0); cnt = FFMAX(c->in_end - src, 0);
c->error |= AV_LZO_INPUT_DEPLETED; c->error |= AV_LZO_INPUT_DEPLETED;
...@@ -103,7 +107,7 @@ static inline void copy(LZOContext *c, int cnt) ...@@ -103,7 +107,7 @@ static inline void copy(LZOContext *c, int cnt)
/** /**
* @brief Copies previously decoded bytes to current position. * @brief Copies previously decoded bytes to current position.
* @param back how many bytes back we start * @param back how many bytes back we start
* @param cnt number of bytes to copy, must be >= 0 * @param cnt number of bytes to copy, must be > 0
* *
* cnt > back is valid, this will copy the bytes we just copied, * cnt > back is valid, this will copy the bytes we just copied,
* thus creating a repeating pattern with a period length of back. * thus creating a repeating pattern with a period length of back.
...@@ -111,6 +115,10 @@ static inline void copy(LZOContext *c, int cnt) ...@@ -111,6 +115,10 @@ static inline void copy(LZOContext *c, int cnt)
static inline void copy_backptr(LZOContext *c, int back, int cnt) static inline void copy_backptr(LZOContext *c, int back, int cnt)
{ {
register uint8_t *dst = c->out; register uint8_t *dst = c->out;
if (cnt <= 0) {
c->error |= AV_LZO_ERROR;
return;
}
if (dst - c->out_start < back) { if (dst - c->out_start < back) {
c->error |= AV_LZO_INVALID_BACKPTR; c->error |= AV_LZO_INVALID_BACKPTR;
return; return;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment