head	1.2;
access;
symbols
	pkgsrc-2014Q2:1.1.0.2
	pkgsrc-2014Q2-base:1.1;
locks; strict;
comment	@# @;


1.2
date	2014.07.04.10.33.41;	author adam;	state dead;
branches;
next	1.1;
commitid	eEMyz0kU5Rsj03Hx;

1.1
date	2014.06.27.17.27.39;	author drochner;	state Exp;
branches;
next	;
commitid	BeRcbtzWBwvswbGx;


desc
@@


1.2
log
@Changes 1.2.7:
avformat/mpc: attempt to allocate a packet that is not smaller than the data inside it
avcodec/alsdec: Clear MPEG4AudioConfig so that no use of uninitialized memory is possible
avformat/flvenc: Do not allow creating h263/mpeg4 in flv without unofficial format extensions being enabled
avcodec/mss4: Fix () in MKVAL() macro
avcodec/mss34dsp: fix () in SOP* macros
avcodec/mlpdec: fix () in MSB_MASK() macro
avcodec/golomb-test: fix () in EXTEND() macro
avcodec/aac: fix () in IS_CODEBOOK_UNSIGNED macro
avcodec/libvorbisenc: dont add the duration to AV_NOPTS_VALUE
avutil/cpu: force mmx on selection of higher x86 SIMD features
avcodec/diracdec: move mc buffer allocation to per frame
avfilter/graphdump: Fix pointer to local outside scope
more...
@
text
@$NetBSD: patch-CVE-2014-4610,v 1.1 2014/06/27 17:27:39 drochner Exp $

--- libavutil/lzo.c.orig	2014-06-27 16:32:34.000000000 +0000
+++ libavutil/lzo.c
@@@@ -22,6 +22,7 @@@@
 #include <string.h>
 
 #include "avutil.h"
+#include "avassert.h"
 #include "common.h"
 #include "intreadwrite.h"
 #include "lzo.h"
@@@@ -65,8 +66,13 @@@@ static inline int get_len(LZOContext *c,
 {
     int cnt = x & mask;
     if (!cnt) {
-        while (!(x = get_byte(c)))
+        while (!(x = get_byte(c))) {
+            if (cnt >= INT_MAX - 1000) {
+                c->error |= AV_LZO_ERROR;
+                break;
+            }
             cnt += 255;
+        }
         cnt += mask + x;
     }
     return cnt;
@@@@ -80,6 +86,7 @@@@ static inline void copy(LZOContext *c, i
 {
     register const uint8_t *src = c->in;
     register uint8_t *dst       = c->out;
+    av_assert0(cnt >= 0);
     if (cnt > c->in_end - src) {
         cnt       = FFMAX(c->in_end - src, 0);
         c->error |= AV_LZO_INPUT_DEPLETED;
@@@@ -110,9 +117,9 @@@@ static inline void copy(LZOContext *c, i
  */
 static inline void copy_backptr(LZOContext *c, int back, int cnt)
 {
-    register const uint8_t *src = &c->out[-back];
     register uint8_t *dst       = c->out;
-    if (src < c->out_start || src > dst) {
+    av_assert0(cnt > 0);
+    if (dst - c->out_start < back) {
         c->error |= AV_LZO_INVALID_BACKPTR;
         return;
     }
@


1.1
log
@add patch from 1.2.7 to fix recent integer overflow, bump PKGREV
(update to 1.2.7 will be done after the freeze)
@
text
@d1 1
a1 1
$NetBSD$
@