From 874da652b307fe0d2bec08fc5916a9a82537f40c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Fri, 30 Dec 2011 10:37:33 +0100 Subject: [PATCH] Avoid av_memcpy_backptr hang without extra branch. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This only happens for a "back" value of 0 which is invalid anyway, but lcldec does not properly validate input. Also extend the documentation to specify valid values. Signed-off-by: Reimar Döffinger --- libavutil/lzo.c | 6 +++--- libavutil/lzo.h | 5 ++++- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/libavutil/lzo.c b/libavutil/lzo.c index 0b9d2e42ba..3642308100 100644 --- a/libavutil/lzo.c +++ b/libavutil/lzo.c @@ -112,7 +112,7 @@ static inline void memcpy_backptr(uint8_t *dst, int back, int cnt); /** * @brief Copies previously decoded bytes to current position. - * @param back how many bytes back we start + * @param back how many bytes back we start, must be > 0 * @param cnt number of bytes to copy, must be >= 0 * * cnt > back is valid, this will copy the bytes we just copied, @@ -135,9 +135,9 @@ static inline void copy_backptr(LZOContext *c, int back, int cnt) { static inline void memcpy_backptr(uint8_t *dst, int back, int cnt) { const uint8_t *src = &dst[-back]; - if (back == 1) { + if (back <= 1) { memset(dst, *src, cnt); - } else if(back>0) { + } else { #ifdef OUTBUF_PADDED COPY2(dst, src); COPY2(dst + 2, src + 2); diff --git a/libavutil/lzo.h b/libavutil/lzo.h index d60d8d7487..379c08c8c7 100644 --- a/libavutil/lzo.h +++ b/libavutil/lzo.h @@ -62,11 +62,14 @@ int av_lzo1x_decode(void *out, int *outlen, const void *in, int *inlen); /** * @brief deliberately overlapping memcpy implementation * @param dst destination buffer; must be padded with 12 additional bytes - * @param back how many bytes back we start (the initial size of the overlapping window) + * @param back how many bytes back we start (the initial size of the overlapping window), must be > 0 * @param cnt number of bytes to copy, must be >= 0 * * cnt > back is valid, this will copy the bytes we just copied, * thus creating a repeating pattern with a period length of back. + * Note that lcldec currently can set back == 0 - which is wrong and + * makes no sense, but the code should at least avoid crashing or hanging + * for this case. */ void av_memcpy_backptr(uint8_t *dst, int back, int cnt);