[SCM] libav/wheezy-security: lzo: Handle integer overflow
siretart at users.alioth.debian.org
siretart at users.alioth.debian.org
Wed Jul 2 23:17:00 UTC 2014
The following commit has been merged in the wheezy-security branch:
commit e7f5dacd55deeee8a866020b8463f829b2c5971f
Author: Luca Barbato <lu_zero at gentoo.org>
Date: Thu Jun 19 23:26:58 2014 +0200
lzo: Handle integer overflow
get_len can overflow for specially crafted payload.
Reported-By: Don A. Baley <donb at securitymouse.com>
CC: libav-stable at libav.org
(cherry picked from commit ccda51b14c0fcae2fad73a24872dce75a7964996)
Signed-off-by: Luca Barbato <lu_zero at gentoo.org>
Conflicts:
libavutil/lzo.c
diff --git a/libavutil/lzo.c b/libavutil/lzo.c
index e49b83e..0c497a5 100644
--- a/libavutil/lzo.c
+++ b/libavutil/lzo.c
@@ -88,6 +88,10 @@ static inline int get_len(LZOContext *c, int x, int mask) {
static inline void copy(LZOContext *c, int cnt) {
register const uint8_t *src = c->in;
register uint8_t *dst = c->out;
+ if (cnt < 0) {
+ c->error |= AV_LZO_ERROR;
+ return;
+ }
if (cnt > c->in_end - src) {
cnt = FFMAX(c->in_end - src, 0);
c->error |= AV_LZO_INPUT_DEPLETED;
@@ -113,13 +117,17 @@ static inline void memcpy_backptr(uint8_t *dst, int back, int cnt);
/**
* @brief Copies previously decoded bytes to current position.
* @param back how many bytes back we start
- * @param cnt number of bytes to copy, must be >= 0
+ * @param cnt number of bytes to copy, must be > 0
*
* cnt > back is valid, this will copy the bytes we just copied,
* thus creating a repeating pattern with a period length of back.
*/
static inline void copy_backptr(LZOContext *c, int back, int cnt) {
register uint8_t *dst = c->out;
+ if (cnt <= 0) {
+ c->error |= AV_LZO_ERROR;
+ return;
+ }
if (dst - c->out_start < back) {
c->error |= AV_LZO_INVALID_BACKPTR;
return;
--
Libav/FFmpeg packaging
More information about the pkg-multimedia-commits
mailing list