lzo: Handle integer overflow
get_len can overflow for specially crafted payload.
Reported-By: Don A. Baley <donb@securitymouse.com>
CC: libav-stable@libav.org
(cherry picked from commit ccda51b14c)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
Conflicts:
libavutil/lzo.c
This commit is contained in:
parent
9c7321e2b8
commit
e7f5dacd55
1 changed files with 9 additions and 1 deletions
|
|
@ -88,6 +88,10 @@ static inline int get_len(LZOContext *c, int x, int mask) {
|
|||
static inline void copy(LZOContext *c, int cnt) {
|
||||
register const uint8_t *src = c->in;
|
||||
register uint8_t *dst = c->out;
|
||||
if (cnt < 0) {
|
||||
c->error |= AV_LZO_ERROR;
|
||||
return;
|
||||
}
|
||||
if (cnt > c->in_end - src) {
|
||||
cnt = FFMAX(c->in_end - src, 0);
|
||||
c->error |= AV_LZO_INPUT_DEPLETED;
|
||||
|
|
@ -113,13 +117,17 @@ static inline void memcpy_backptr(uint8_t *dst, int back, int cnt);
|
|||
/**
|
||||
* @brief Copies previously decoded bytes to current position.
|
||||
* @param back how many bytes back we start
|
||||
* @param cnt number of bytes to copy, must be >= 0
|
||||
* @param cnt number of bytes to copy, must be > 0
|
||||
*
|
||||
* cnt > back is valid, this will copy the bytes we just copied,
|
||||
* thus creating a repeating pattern with a period length of back.
|
||||
*/
|
||||
static inline void copy_backptr(LZOContext *c, int back, int cnt) {
|
||||
register uint8_t *dst = c->out;
|
||||
if (cnt <= 0) {
|
||||
c->error |= AV_LZO_ERROR;
|
||||
return;
|
||||
}
|
||||
if (dst - c->out_start < back) {
|
||||
c->error |= AV_LZO_INVALID_BACKPTR;
|
||||
return;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue