Fix buffer end checks in lzo copy code to work in all cases.

git-svn-id: file:///var/local/repositories/ffmpeg/trunk@7731 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b

Fix buffer end checks in lzo copy code to work in all cases.
git-svn-id: file:///var/local/repositories/ffmpeg/trunk@7731 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
2d4f6b2f · reimar · 76d77edf · 2d4f6b2f
Commit 2d4f6b2f authored Jan 27, 2007 by reimar
Show whitespace changes
Inline Side-by-side

Showing with 4 additions and 4 deletions

libavcodec/lzo.c libavcodec/lzo.c +4 -4

No files found.
--- a/libavcodec/lzo.c
+++ b/libavcodec/lzo.c
@@ -67,11 +67,11 @@ static inline int get_len(LZOContext *c, int x, int mask) {
 static inline void copy(LZOContext *c, int cnt) {
    register uint8_t *src = c->in;
    register uint8_t *dst = c->out;
-    if (src + cnt > c->in_end) {
+    if (src + cnt > c->in_end || src + cnt < src) {
        cnt = c->in_end - src;
        c->error |= LZO_INPUT_DEPLETED;
    }
-    if (dst + cnt > c->out_end) {
+    if (dst + cnt > c->out_end || dst + cnt < dst) {
        cnt = c->out_end - dst;
        c->error |= LZO_OUTPUT_FULL;
    }
@@ -101,11 +101,11 @@ static inline void copy(LZOContext *c, int cnt) {
 static inline void copy_backptr(LZOContext *c, int back, int cnt) {
    register uint8_t *src = &c->out[-back];
    register uint8_t *dst = c->out;
-    if (src < c->out_start) {
+    if (src < c->out_start || src > dst) {
        c->error |= LZO_INVALID_BACKPTR;
        return;
    }
-    if (dst + cnt > c->out_end) {
+    if (dst + cnt > c->out_end || dst +  cnt < dst) {
        cnt = c->out_end - dst;
        c->error |= LZO_OUTPUT_FULL;
    }