$OpenBSD: patch-libavutil_lzo_c,v 1.2 2014/07/25 20:37:58 brad Exp $

Fix LZO integer overflow issues. CVE-2014-4610

--- libavutil/lzo.c.orig	Fri Jul 25 16:01:08 2014
+++ libavutil/lzo.c	Fri Jul 25 16:09:37 2014
@@ -22,6 +22,7 @@
 #include <string.h>
 
 #include "avutil.h"
+#include "avassert.h"
 #include "common.h"
 #include "intreadwrite.h"
 #include "lzo.h"
@@ -65,8 +66,13 @@ static inline int get_len(LZOContext *c, int x, int ma
 {
     int cnt = x & mask;
     if (!cnt) {
-        while (!(x = get_byte(c)))
+        while (!(x = get_byte(c))) {
+            if (cnt >= INT_MAX - 1000) {
+                c->error |= AV_LZO_ERROR;
+                break;
+            }
             cnt += 255;
+        }
         cnt += mask + x;
     }
     return cnt;
@@ -80,6 +86,7 @@ static inline void copy(LZOContext *c, int cnt)
 {
     register const uint8_t *src = c->in;
     register uint8_t *dst       = c->out;
+    av_assert0(cnt >= 0);
     if (cnt > c->in_end - src) {
         cnt       = FFMAX(c->in_end - src, 0);
         c->error |= AV_LZO_INPUT_DEPLETED;
@@ -111,6 +118,7 @@ static inline void copy(LZOContext *c, int cnt)
 static inline void copy_backptr(LZOContext *c, int back, int cnt)
 {
     register uint8_t *dst       = c->out;
+    av_assert0(cnt > 0);
     if (dst - c->out_start < back) {
         c->error |= AV_LZO_INVALID_BACKPTR;
         return;
