50 lines
1.5 KiB
Plaintext
50 lines
1.5 KiB
Plaintext
$NetBSD: patch-CVE-2014-4610,v 1.1 2014/06/27 15:58:44 drochner Exp $
|
|
|
|
from ffmpeg 1.2.6->1.2.7
|
|
|
|
--- ffmpeg/libavutil/lzo.c.orig 2014-06-27 15:38:28.000000000 +0000
|
|
+++ ffmpeg/libavutil/lzo.c
|
|
@@ -20,6 +20,7 @@
|
|
*/
|
|
|
|
#include "avutil.h"
|
|
+#include "avassert.h"
|
|
#include "common.h"
|
|
/// Avoid e.g. MPlayers fast_memcpy, it slows things down here.
|
|
#undef memcpy
|
|
@@ -62,7 +63,13 @@ static inline int get_byte(LZOContext *c
|
|
static inline int get_len(LZOContext *c, int x, int mask) {
|
|
int cnt = x & mask;
|
|
if (!cnt) {
|
|
- while (!(x = get_byte(c))) cnt += 255;
|
|
+ while (!(x = get_byte(c))) {
|
|
+ if (cnt >= INT_MAX - 1000) {
|
|
+ c->error |= AV_LZO_ERROR;
|
|
+ break;
|
|
+ }
|
|
+ cnt += 255;
|
|
+ }
|
|
cnt += mask + x;
|
|
}
|
|
return cnt;
|
|
@@ -88,6 +95,7 @@ static inline int get_len(LZOContext *c,
|
|
static inline void copy(LZOContext *c, int cnt) {
|
|
register const uint8_t *src = c->in;
|
|
register uint8_t *dst = c->out;
|
|
+ av_assert0(cnt >= 0);
|
|
if (cnt > c->in_end - src) {
|
|
cnt = FFMAX(c->in_end - src, 0);
|
|
c->error |= AV_LZO_INPUT_DEPLETED;
|
|
@@ -119,9 +127,9 @@ static inline void memcpy_backptr(uint8_
|
|
* thus creating a repeating pattern with a period length of back.
|
|
*/
|
|
static inline void copy_backptr(LZOContext *c, int back, int cnt) {
|
|
- register const uint8_t *src = &c->out[-back];
|
|
register uint8_t *dst = c->out;
|
|
- if (src < c->out_start || src > dst) {
|
|
+ av_assert0(cnt > 0);
|
|
+ if (dst - c->out_start < back) {
|
|
c->error |= AV_LZO_INVALID_BACKPTR;
|
|
return;
|
|
}
|