Merge commit 'e7f5dacd55deeee8a866020b8463f829b2c5971f' into release/0.10

* commit 'e7f5dacd55deeee8a866020b8463f829b2c5971f':
  lzo: Handle integer overflow

Conflicts:
	libavutil/lzo.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>

1 files changed, 9 insertions, 1 deletions

diff --git a/libavutil/lzo.c b/libavutil/lzo.c
index 58878bce16..9e00da41a4 100644
--- a/libavutil/lzo.c
+++ b/libavutil/lzo.c
@@ -94,6 +94,10 @@ static inline int get_len(LZOContext *c, int x, int mask) {
 static inline void copy(LZOContext *c, int cnt) {
     register const uint8_t *src = c->in;
     register uint8_t *dst = c->out;
+    if (cnt < 0) {
+        c->error |= AV_LZO_ERROR;
+        return;
+    }
     if (cnt > c->in_end - src) {
         cnt = FFMAX(c->in_end - src, 0);
         c->error |= AV_LZO_INPUT_DEPLETED;
@@ -119,13 +123,17 @@ static inline void memcpy_backptr(uint8_t *dst, int back, int cnt);
 /**
  * @brief Copies previously decoded bytes to current position.
  * @param back how many bytes back we start, must be > 0
- * @param cnt number of bytes to copy, must be >= 0
+ * @param cnt number of bytes to copy, must be > 0
  *
  * cnt > back is valid, this will copy the bytes we just copied,
  * thus creating a repeating pattern with a period length of back.
  */
 static inline void copy_backptr(LZOContext *c, int back, int cnt) {
     register uint8_t *dst = c->out;
+    if (cnt <= 0) {
+        c->error |= AV_LZO_ERROR;
+        return;
+    }
     if (dst - c->out_start < back) {
         c->error |= AV_LZO_INVALID_BACKPTR;
         return;