lzo: fix overflow checking in copy_backptr()

The check `src > dst' in the form `&c->out[-back] > c->out' invokes
pointer overflow, which is undefined behavior in C.

Remove the check.  Also replace `&c->out[-back] < c->out_start' with
a safe form `c->out - c->out_start < back' to avoid overflow.

CC: libav-stable@libav.org
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit ca6c3f2c53be70aa3c38e8f1292809db89ea1ba6)

Conflicts:
	libavutil/lzo.c

diff --git a/libavutil/lzo.c b/libavutil/lzo.c
index 26cda12112b6e3907017535b9a65717c77070e2b..e49b83e0a28b7beea0994a58c488209006f98fc2 100644 (file)
--- a/libavutil/lzo.c
+++ b/libavutil/lzo.c
@@ -119,9 +119,8 @@ static inline void memcpy_backptr(uint8_t *dst, int back, int cnt);
  * thus creating a repeating pattern with a period length of back.
  */
 static inline void copy_backptr(LZOContext *c, int back, int cnt) {
-    register const uint8_t *src = &c->out[-back];
     register uint8_t *dst = c->out;
-    if (src < c->out_start || src > dst) {
+    if (dst - c->out_start < back) {
         c->error |= AV_LZO_INVALID_BACKPTR;
         return;
     }