avutil/lzo: Fix integer overflow

Embargoed-till: 2014-06-27 requested by researcher, but embargo broken by libav today (git and mailing list) Fixes: LMS-2014-06-16-4 Found-by: "Don A. Bailey" <donb@securitymouse.com> See: ccda51b14c0fcae2fad73a24872dce75a7964996 Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit d6af26c55c1ea30f85a7d9edbc373f53be1743ee) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2014-06-20 03:15:28 +0200
committer: Michael Niedermayer <michaelni@gmx.at> 2014-06-25 16:35:25 +0200
commit: 083d0b7b2d928185d7cadff7b4f558c8d8557939 (patch)
tree: 0fa6084f072e3fdd74704da5d4a71033149a733d
parent: 1e9ae5dbbd676b53906d3340b5acaf0e77cb6d00 (diff)
download: ffmpeg-083d0b7b2d928185d7cadff7b4f558c8d8557939.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/libavutil/lzo.c b/libavutil/lzo.c
index 221a66b9ab..82dba94771 100644
--- a/libavutil/lzo.c
+++ b/libavutil/lzo.c
@@ -65,8 +65,13 @@ static inline int get_len(LZOContext *c, int x, int mask)
 {
     int cnt = x & mask;
     if (!cnt) {
-        while (!(x = get_byte(c)))
+        while (!(x = get_byte(c))) {
+            if (cnt >= INT_MAX - 1000) {
+                c->error |= AV_LZO_ERROR;
+                break;
+            }
             cnt += 255;
+        }
         cnt += mask + x;
     }
     return cnt;
author	Michael Niedermayer <michaelni@gmx.at>	2014-06-20 03:15:28 +0200
committer	Michael Niedermayer <michaelni@gmx.at>	2014-06-25 16:35:25 +0200
commit	083d0b7b2d928185d7cadff7b4f558c8d8557939 (patch)
tree	0fa6084f072e3fdd74704da5d4a71033149a733d
parent	1e9ae5dbbd676b53906d3340b5acaf0e77cb6d00 (diff)
download	ffmpeg-083d0b7b2d928185d7cadff7b4f558c8d8557939.tar.gz