avutil/lzo: Fix integer overflow

Embargoed-till: 2014-06-27 requested by researcher, but embargo broken by libav today (git and mailing list) Fixes: LMS-2014-06-16-4 Found-by: "Don A. Bailey" <donb@securitymouse.com> See: ccda51b1Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

avutil/lzo: Fix integer overflow
Embargoed-till: 2014-06-27 requested by researcher, but embargo broken by libav today (git and mailing list) Fixes: LMS-2014-06-16-4 Found-by: "Don A. Bailey" <donb@securitymouse.com> See: ccda51b1Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
d6af26c5 · Michael Niedermayer · b222e077 · d6af26c5
Commit d6af26c5 authored Jun 20, 2014 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 1 deletion

lzo.c libavutil/lzo.c +6 -1

No files found.
--- a/libavutil/lzo.c
+++ b/libavutil/lzo.c
@@ -65,8 +65,13 @@ static inline int get_len(LZOContext *c, int x, int mask)
 {
    int cnt = x & mask;
    if (!cnt) {
-        while (!(x = get_byte(c)))
+        while (!(x = get_byte(c))) {
+            if (cnt >= INT_MAX - 1000) {
+                c->error |= AV_LZO_ERROR;
+                break;
+            }
            cnt += 255;
+        }
        cnt += mask + x;
    }
    return cnt;