head	1.2;
access;
symbols
	pkgsrc-2014Q2:1.1.0.2
	pkgsrc-2014Q2-base:1.1;
locks; strict;
comment	@# @;


1.2
date	2014.07.09.12.48.59;	author he;	state dead;
branches;
next	1.1;
commitid	irxOUnlLrJgRAHHx;

1.1
date	2014.06.27.17.58.09;	author drochner;	state Exp;
branches;
next	;
commitid	qDh8SrqhXexaHbGx;


desc
@@


1.2
log
@Upgrade ffmpeg010 to version 0.10.14 as of 2014-06-29.
Among the fixes are an integer overflow in lzo, corresponding
to CVE-2014-4610.
@
text
@$NetBSD: patch-CVE-2014-4610,v 1.1 2014/06/27 17:58:09 drochner Exp $

--- libavutil/lzo.c.orig	2014-06-27 17:34:06.000000000 +0000
+++ libavutil/lzo.c
@@@@ -20,6 +20,7 @@@@
  */
 
 #include "avutil.h"
+#include "avassert.h"
 #include "common.h"
 /// Avoid e.g. MPlayers fast_memcpy, it slows things down here.
 #undef memcpy
@@@@ -62,7 +63,13 @@@@ static inline int get_byte(LZOContext *c
 static inline int get_len(LZOContext *c, int x, int mask) {
     int cnt = x & mask;
     if (!cnt) {
-        while (!(x = get_byte(c))) cnt += 255;
+        while (!(x = get_byte(c))) {
+	    if (cnt >= INT_MAX - 1000) {
+		c->error |= AV_LZO_ERROR;
+		break;
+	    }
+	    cnt += 255;
+	}
         cnt += mask + x;
     }
     return cnt;
@@@@ -88,6 +95,7 @@@@ static inline int get_len(LZOContext *c,
 static inline void copy(LZOContext *c, int cnt) {
     register const uint8_t *src = c->in;
     register uint8_t *dst = c->out;
+    av_assert0(cnt >= 0);
     if (cnt > c->in_end - src) {
         cnt = FFMAX(c->in_end - src, 0);
         c->error |= AV_LZO_INPUT_DEPLETED;
@@@@ -120,6 +128,7 @@@@ static inline void memcpy_backptr(uint8_
  */
 static inline void copy_backptr(LZOContext *c, int back, int cnt) {
     register uint8_t *dst = c->out;
+    av_assert0(cnt > 0);
     if (dst - c->out_start < back) {
         c->error |= AV_LZO_INVALID_BACKPTR;
         return;
@


1.1
log
@add patch from 1.2.7 to fix recent integer overflow, bump PKGREV
@
text
@d1 1
a1 1
$NetBSD$
@