avutil/lzo: Fix integer overflow

Embargoed-till: 2014-06-27 requested by researcher, but embargo broken by libav today (git and mailing list)

Fixes: LMS-2014-06-16-4
Found-by: "Don A. Bailey" <donb@securitymouse.com>
See: ccda51b14c
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2014-06-20 03:15:28 +02:00
parent b222e0773c
commit d6af26c55c
1 changed files with 6 additions and 1 deletions

View File

@ -65,8 +65,13 @@ static inline int get_len(LZOContext *c, int x, int mask)
{
int cnt = x & mask;
if (!cnt) {
while (!(x = get_byte(c)))
while (!(x = get_byte(c))) {
if (cnt >= INT_MAX - 1000) {
c->error |= AV_LZO_ERROR;
break;
}
cnt += 255;
}
cnt += mask + x;
}
return cnt;