Merge commit '2c1d84499bfe06d75e9160b824eeffd9f5587337' into release/0.10

* commit '2c1d84499bfe06d75e9160b824eeffd9f5587337':
  lagarith: pad RGB buffer by 1 byte.
  truemotion1: check the header size
  shorten: pad the internal bitstream buffer
  samplefmt: avoid integer overflow in av_samples_get_buffer_size()
  h264: Fix a typo from the previous commit
  h264: Lower bound check for slice offsets
  rpza: limit the number of blocks to the total remaining blocks in the frame

Conflicts:
	libavcodec/lagarith.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>

libavcodec/h264.c

@@ -3231,8 +3231,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
     }
 
     h->deblocking_filter = 1;
-    h->slice_alpha_c0_offset = 52;
-    h->slice_beta_offset = 52;
+    h->slice_alpha_c0_offset = 0;
+    h->slice_beta_offset = 0;
     if( h->pps.deblocking_filter_parameters_present ) {
         tmp= get_ue_golomb_31(&s->gb);
         if(tmp > 2){
@@ -3243,12 +3243,16 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
         if(h->deblocking_filter < 2)
             h->deblocking_filter^= 1; // 1<->0
 
-        if( h->deblocking_filter ) {
-            h->slice_alpha_c0_offset += get_se_golomb(&s->gb) << 1;
-            h->slice_beta_offset     += get_se_golomb(&s->gb) << 1;
-            if(   h->slice_alpha_c0_offset > 104U
-               || h->slice_beta_offset     > 104U){
-                av_log(s->avctx, AV_LOG_ERROR, "deblocking filter parameters %d %d out of range\n", h->slice_alpha_c0_offset, h->slice_beta_offset);
+        if (h->deblocking_filter) {
+            h->slice_alpha_c0_offset = get_se_golomb(&s->gb) * 2;
+            h->slice_beta_offset     = get_se_golomb(&s->gb) * 2;
+            if (h->slice_alpha_c0_offset >  12 ||
+                h->slice_alpha_c0_offset < -12 ||
+                h->slice_beta_offset >  12     ||
+                h->slice_beta_offset < -12) {
+                av_log(s->avctx, AV_LOG_ERROR,
+                       "deblocking filter parameters %d %d out of range\n",
+                       h->slice_alpha_c0_offset, h->slice_beta_offset);
                 return -1;
             }
         }
@@ -3277,14 +3281,12 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
             }
         }
     }
-    h->qp_thresh = 15 + 52 - FFMIN(h->slice_alpha_c0_offset, h->slice_beta_offset)
-                 - FFMAX3(0, h->pps.chroma_qp_index_offset[0], h->pps.chroma_qp_index_offset[1])
-                 + 6 * (h->sps.bit_depth_luma - 8);
-
-#if 0 //FMO
-    if( h->pps.num_slice_groups > 1  && h->pps.mb_slice_group_map_type >= 3 && h->pps.mb_slice_group_map_type <= 5)
-        slice_group_change_cycle= get_bits(&s->gb, ?);
-#endif
+    h->qp_thresh = 15 -
+                   FFMIN(h->slice_alpha_c0_offset, h->slice_beta_offset) -
+                   FFMAX3(0,
+                          h->pps.chroma_qp_index_offset[0],
+                          h->pps.chroma_qp_index_offset[1]) +
+                   6 * (h->sps.bit_depth_luma - 8);
 
     h0->last_slice_type = slice_type;
     h->slice_num = ++h0->current_slice;
@@ -3345,7 +3347,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
                s->current_picture_ptr->field_poc[0], s->current_picture_ptr->field_poc[1],
                h->ref_count[0], h->ref_count[1],
                s->qscale,
-               h->deblocking_filter, h->slice_alpha_c0_offset/2-26, h->slice_beta_offset/2-26,
+               h->deblocking_filter,
+               h->slice_alpha_c0_offset, h->slice_beta_offset,
                h->use_weight,
                h->use_weight==1 && h->use_weight_chroma ? "c" : "",
                h->slice_type == AV_PICTURE_TYPE_B ? (h->direct_spatial_mv_pred ? "SPAT" : "TEMP") : ""

libavcodec/h264_loopfilter.c

@@ -254,8 +254,8 @@ static av_always_inline void h264_filter_mb_fast_internal(H264Context *h,
     int top_type= h->top_type;
 
     int qp_bd_offset = 6 * (h->sps.bit_depth_luma - 8);
-    int a = h->slice_alpha_c0_offset - qp_bd_offset;
-    int b = h->slice_beta_offset - qp_bd_offset;
+    int a = 52 + h->slice_alpha_c0_offset - qp_bd_offset;
+    int b = 52 + h->slice_beta_offset - qp_bd_offset;
 
     int mb_type = s->current_picture.f.mb_type[mb_xy];
     int qp      = s->current_picture.f.qscale_table[mb_xy];
@@ -715,8 +715,8 @@ void ff_h264_filter_mb( H264Context *h, int mb_x, int mb_y, uint8_t *img_y, uint
     av_unused int dir;
     int chroma = !(CONFIG_GRAY && (s->flags&CODEC_FLAG_GRAY));
     int qp_bd_offset = 6 * (h->sps.bit_depth_luma - 8);
-    int a = h->slice_alpha_c0_offset - qp_bd_offset;
-    int b = h->slice_beta_offset - qp_bd_offset;
+    int a = 52 + h->slice_alpha_c0_offset - qp_bd_offset;
+    int b = 52 + h->slice_beta_offset - qp_bd_offset;
 
     if (FRAME_MBAFF
             // and current and left pair do not have the same interlaced type

libavcodec/lagarith.c

@@ -509,7 +509,7 @@ static int lag_decode_frame(AVCodecContext *avctx,
 
         if (!l->rgb_planes) {
             l->rgb_stride = FFALIGN(avctx->width, 16);
-            l->rgb_planes = av_malloc(l->rgb_stride * avctx->height * 4);
+            l->rgb_planes = av_malloc(l->rgb_stride * avctx->height * 4 + 1);
             if (!l->rgb_planes) {
                 av_log(avctx, AV_LOG_ERROR, "cannot allocate temporary buffer\n");
                 return AVERROR(ENOMEM);

libavcodec/rpza.c

@@ -38,6 +38,7 @@
 #include <stdlib.h>
 #include <string.h>
 
+#include "libavutil/common.h"
 #include "libavutil/intreadwrite.h"
 #include "avcodec.h"
 
@@ -125,6 +126,8 @@ static void rpza_decode_stream(RpzaContext *s)
             }
         }
 
+        n_blocks = FFMIN(n_blocks, total_blocks);
+
         switch (opcode & 0xe0) {
 
         /* Skip blocks */

libavcodec/shorten.c

@@ -431,7 +431,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data,
         void *tmp_ptr;
         s->max_framesize = 1024; // should hopefully be enough for the first header
         tmp_ptr = av_fast_realloc(s->bitstream, &s->allocated_bitstream_size,
-                                  s->max_framesize);
+                                  s->max_framesize + FF_INPUT_BUFFER_PADDING_SIZE);
         if (!tmp_ptr) {
             av_log(avctx, AV_LOG_ERROR, "error allocating bitstream buffer\n");
             return AVERROR(ENOMEM);

libavcodec/truemotion1.c

@@ -320,6 +320,11 @@ static int truemotion1_decode_header(TrueMotion1Context *s)
         return -1;
     }
 
+    if (header.header_size + 1 > s->size) {
+        av_log(s->avctx, AV_LOG_ERROR, "Input packet too small.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     /* unscramble the header bytes with a XOR operation */
     memset(header_buffer, 0, 128);
     for (i = 1; i < header.header_size; i++)

libavutil/samplefmt.c

@@ -115,8 +115,11 @@ int av_samples_get_buffer_size(int *linesize, int nb_channels, int nb_samples,
         return AVERROR(EINVAL);
 
     /* auto-select alignment if not specified */
-    if (!align)
+    if (!align) {
+        if (nb_samples > INT_MAX - 31)
+            return AVERROR(EINVAL);
         align = 32;
+    }
 
     /* check for integer overflow */
     if (nb_channels > INT_MAX / align ||