$NetBSD: patch-CVE-2014-4610,v 1.1 2014/06/27 15:58:44 drochner Exp $

from ffmpeg 1.2.6->1.2.7

--- ffmpeg/libavutil/lzo.c.orig	2014-06-27 15:38:28.000000000 +0000
+++ ffmpeg/libavutil/lzo.c
@@ -20,6 +20,7 @@
  */
 
 #include "avutil.h"
+#include "avassert.h"
 #include "common.h"
 /// Avoid e.g. MPlayers fast_memcpy, it slows things down here.
 #undef memcpy
@@ -62,7 +63,13 @@ static inline int get_byte(LZOContext *c
 static inline int get_len(LZOContext *c, int x, int mask) {
     int cnt = x & mask;
     if (!cnt) {
-        while (!(x = get_byte(c))) cnt += 255;
+        while (!(x = get_byte(c))) {
+	    if (cnt >= INT_MAX - 1000) {
+		c->error |= AV_LZO_ERROR;
+		break;
+	    }
+	    cnt += 255;
+	}
         cnt += mask + x;
     }
     return cnt;
@@ -88,6 +95,7 @@ static inline int get_len(LZOContext *c,
 static inline void copy(LZOContext *c, int cnt) {
     register const uint8_t *src = c->in;
     register uint8_t *dst = c->out;
+    av_assert0(cnt >= 0);
     if (cnt > c->in_end - src) {
         cnt = FFMAX(c->in_end - src, 0);
         c->error |= AV_LZO_INPUT_DEPLETED;
@@ -119,9 +127,9 @@ static inline void memcpy_backptr(uint8_
  * thus creating a repeating pattern with a period length of back.
  */
 static inline void copy_backptr(LZOContext *c, int back, int cnt) {
-    register const uint8_t *src = &c->out[-back];
     register uint8_t *dst = c->out;
-    if (src < c->out_start || src > dst) {
+    av_assert0(cnt > 0);
+    if (dst - c->out_start < back) {
         c->error |= AV_LZO_INVALID_BACKPTR;
         return;
     }