From cf0ef3dc3436104ee0c63259d0f950c824e94a4e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= <Reimar.Doeffinger@gmx.de>
Date: Sat, 27 Jan 2007 14:15:03 +0000
Subject: [PATCH] Fix buffer end checks in lzo copy code to work in all cases.

Originally committed as revision 7731 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavcodec/lzo.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/lzo.c b/libavcodec/lzo.c
index 8fc3ec845f..eed3b8cf56 100644
--- a/libavcodec/lzo.c
+++ b/libavcodec/lzo.c
@@ -67,11 +67,11 @@ static inline int get_len(LZOContext *c, int x, int mask) {
 static inline void copy(LZOContext *c, int cnt) {
     register uint8_t *src = c->in;
     register uint8_t *dst = c->out;
-    if (src + cnt > c->in_end) {
+    if (src + cnt > c->in_end || src + cnt < src) {
         cnt = c->in_end - src;
         c->error |= LZO_INPUT_DEPLETED;
     }
-    if (dst + cnt > c->out_end) {
+    if (dst + cnt > c->out_end || dst + cnt < dst) {
         cnt = c->out_end - dst;
         c->error |= LZO_OUTPUT_FULL;
     }
@@ -101,11 +101,11 @@ static inline void copy(LZOContext *c, int cnt) {
 static inline void copy_backptr(LZOContext *c, int back, int cnt) {
     register uint8_t *src = &c->out[-back];
     register uint8_t *dst = c->out;
-    if (src < c->out_start) {
+    if (src < c->out_start || src > dst) {
         c->error |= LZO_INVALID_BACKPTR;
         return;
     }
-    if (dst + cnt > c->out_end) {
+    if (dst + cnt > c->out_end || dst +  cnt < dst) {
         cnt = c->out_end - dst;
         c->error |= LZO_OUTPUT_FULL;
     }