From 2fc39af1dec9cae61df35dd9dcc5200021aa5f30 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tomas=20H=C3=A4rdin?= <tomas.hardin@codemill.se>
Date: Mon, 7 Jun 2010 11:27:26 +0000
Subject: [PATCH 01/58] Added M701 codec_tag for mpeg2video

Originally committed as revision 23513 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 77d3f1f792c2a0bd455c75b0aa8e356b3a470ea7)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavformat/riff.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavformat/riff.c b/libavformat/riff.c
index 64464caa5d..0e925f25cc 100644
--- a/libavformat/riff.c
+++ b/libavformat/riff.c
@@ -123,6 +123,7 @@ const AVCodecTag ff_codec_bmp_tags[] = {
     { CODEC_ID_MPEG2VIDEO,   MKTAG('L', 'M', 'P', '2') }, /* Lead MPEG2 in avi */
     { CODEC_ID_MPEG2VIDEO,   MKTAG('s', 'l', 'i', 'f') },
     { CODEC_ID_MPEG2VIDEO,   MKTAG('E', 'M', '2', 'V') },
+    { CODEC_ID_MPEG2VIDEO,   MKTAG('M', '7', '0', '1') }, /* Matrox MPEG2 intra-only */
     { CODEC_ID_MJPEG,        MKTAG('M', 'J', 'P', 'G') },
     { CODEC_ID_MJPEG,        MKTAG('L', 'J', 'P', 'G') },
     { CODEC_ID_MJPEG,        MKTAG('d', 'm', 'b', '1') },

From 394c3e78d533ce5169a3700e4dc326c2d75368af Mon Sep 17 00:00:00 2001
From: Alex Converse <alex.converse@gmail.com>
Date: Fri, 22 Jul 2011 10:13:22 -0700
Subject: [PATCH 02/58] riff: Add mpgv MPEG-2 fourcc

Supported by mplayer and seen in the wild.
(cherry picked from commit 505345ed5d180093a44da8d70ac541898c31c22f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavformat/riff.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavformat/riff.c b/libavformat/riff.c
index 0e925f25cc..86899805fa 100644
--- a/libavformat/riff.c
+++ b/libavformat/riff.c
@@ -124,6 +124,7 @@ const AVCodecTag ff_codec_bmp_tags[] = {
     { CODEC_ID_MPEG2VIDEO,   MKTAG('s', 'l', 'i', 'f') },
     { CODEC_ID_MPEG2VIDEO,   MKTAG('E', 'M', '2', 'V') },
     { CODEC_ID_MPEG2VIDEO,   MKTAG('M', '7', '0', '1') }, /* Matrox MPEG2 intra-only */
+    { CODEC_ID_MPEG2VIDEO,   MKTAG('m', 'p', 'g', 'v') },
     { CODEC_ID_MJPEG,        MKTAG('M', 'J', 'P', 'G') },
     { CODEC_ID_MJPEG,        MKTAG('L', 'J', 'P', 'G') },
     { CODEC_ID_MJPEG,        MKTAG('d', 'm', 'b', '1') },

From feca20021cc2be02261fcd0077add8d0b6a5fc6b Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Thu, 9 Jun 2011 03:35:50 +0200
Subject: [PATCH 03/58] jpegdec: actually search for and parse RSTn

Fixes decoding of MJPEG files produced by some UVC Logitec web cameras,
such as "Notebook Pro" and "HD C910".

References:
http://trac.videolan.org/vlc/ticket/4215
http://ffmpeg.org/trac/ffmpeg/ticket/267

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Reviewed-by: Kostya <kostya.shishkov@gmail.com>
(cherry picked from commit 8c0fa61a9713a1306fca7997dd04d72ea1f060ea)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/mjpegdec.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 9f2f88b5de..edfdd56057 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -839,9 +839,12 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, i
                 }
             }
 
-            if (s->restart_interval && !--s->restart_count) {
+            if (s->restart_interval && show_bits(&s->gb, 8) == 0xFF){ /* skip RSTn */
+                --s->restart_count;
                 align_get_bits(&s->gb);
-                skip_bits(&s->gb, 16); /* skip RSTn */
+                while(show_bits(&s->gb, 8) == 0xFF)
+                    skip_bits(&s->gb, 8);
+                skip_bits(&s->gb, 8);
                 for (i=0; i<nb_components; i++) /* reset dc */
                     s->last_dc[i] = 1024;
             }

From 21ad6e08e45952586441e5fb7b0cf670ba021718 Mon Sep 17 00:00:00 2001
From: Alex Converse <aconverse@google.com>
Date: Tue, 3 May 2011 11:19:31 -0700
Subject: [PATCH 04/58] Replace strncpy() with av_strlcpy() in libpostproc.

(cherry picked from commit 1a5e4fd8c5b99478b4e08a69261930bb12aa948b)

Conflicts:

	ffmpeg.c
	libavcodec/ac3enc.c
	libavcodec/ass.c
	libavformat/movenc.c
	libavformat/mp3enc.c
	libavutil/log.c
---
 libpostproc/postprocess.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libpostproc/postprocess.c b/libpostproc/postprocess.c
index 92c822b772..4810353085 100644
--- a/libpostproc/postprocess.c
+++ b/libpostproc/postprocess.c
@@ -86,6 +86,7 @@ try to unroll inner for(x=0 ... loop to avoid these damn if(x ... checks
 //#define DEBUG_BRIGHTNESS
 #include "postprocess.h"
 #include "postprocess_internal.h"
+#include "libavutil/avstring.h"
 
 unsigned postproc_version(void)
 {
@@ -766,7 +767,7 @@ pp_mode *pp_get_mode_by_name_and_quality(const char *name, int quality)
     ppMode->maxClippedThreshold= 0.01;
     ppMode->error=0;
 
-    strncpy(temp, name, GET_MODE_BUFFER_SIZE);
+    av_strlcpy(temp, name, GET_MODE_BUFFER_SIZE);
 
     av_log(NULL, AV_LOG_DEBUG, "pp: %s\n", name);
 

From 7487d53d0144043a462a5d54d766478ce64f0daa Mon Sep 17 00:00:00 2001
From: Piotr Kaczuba <p.kaczuba@attika.ath.cx>
Date: Mon, 30 May 2011 13:19:35 +0200
Subject: [PATCH 05/58] postprocess.c: filter name needs to be double 0
 terminated

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f4f3300c09bb13eb7922e60888b55e3e0fb325e7)
(cherry picked from commit 20ca827019a72bfacb38e73d0b8590e651818272)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libpostproc/postprocess.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libpostproc/postprocess.c b/libpostproc/postprocess.c
index 4810353085..d2dc6bcae1 100644
--- a/libpostproc/postprocess.c
+++ b/libpostproc/postprocess.c
@@ -767,7 +767,8 @@ pp_mode *pp_get_mode_by_name_and_quality(const char *name, int quality)
     ppMode->maxClippedThreshold= 0.01;
     ppMode->error=0;
 
-    av_strlcpy(temp, name, GET_MODE_BUFFER_SIZE);
+    memset(temp, 0, GET_MODE_BUFFER_SIZE);
+    av_strlcpy(temp, name, GET_MODE_BUFFER_SIZE - 1);
 
     av_log(NULL, AV_LOG_DEBUG, "pp: %s\n", name);
 
@@ -823,7 +824,7 @@ pp_mode *pp_get_mode_by_name_and_quality(const char *name, int quality)
 
                 plen= strlen(p);
                 spaceLeft= p - temp + plen;
-                if(spaceLeft + newlen  >= GET_MODE_BUFFER_SIZE){
+                if(spaceLeft + newlen  >= GET_MODE_BUFFER_SIZE - 1){
                     ppMode->error++;
                     break;
                 }

From 572e94bc513353e31a58e40cbb043f6b0a58e415 Mon Sep 17 00:00:00 2001
From: Jason Garrett-Glaser <jason@x264.com>
Date: Mon, 4 Jul 2011 06:05:34 -0700
Subject: [PATCH 06/58] H.264: fix overreads of qscale_table

filter_mb_fast assumed that qscale_table was padded like many of the other tables.
(cherry picked from commit 5029a406334ad0eaf92130e23d596e405a8a5aa0)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/mpegvideo.c | 5 +++--
 libavcodec/mpegvideo.h | 1 +
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c
index e11fee8ffc..695290abc2 100644
--- a/libavcodec/mpegvideo.c
+++ b/libavcodec/mpegvideo.c
@@ -282,9 +282,10 @@ int ff_alloc_picture(MpegEncContext *s, Picture *pic, int shared){
         }
 
         FF_ALLOCZ_OR_GOTO(s->avctx, pic->mbskip_table , mb_array_size * sizeof(uint8_t)+2, fail) //the +2 is for the slice end check
-        FF_ALLOCZ_OR_GOTO(s->avctx, pic->qscale_table , mb_array_size * sizeof(uint8_t)  , fail)
+        FF_ALLOCZ_OR_GOTO(s->avctx, pic->qscale_table_base , (big_mb_num + s->mb_stride) * sizeof(uint8_t)  , fail)
         FF_ALLOCZ_OR_GOTO(s->avctx, pic->mb_type_base , (big_mb_num + s->mb_stride) * sizeof(uint32_t), fail)
         pic->mb_type= pic->mb_type_base + 2*s->mb_stride+1;
+        pic->qscale_table = pic->qscale_table_base + 2*s->mb_stride + 1;
         if(s->out_format == FMT_H264){
             for(i=0; i<2; i++){
                 FF_ALLOCZ_OR_GOTO(s->avctx, pic->motion_val_base[i], 2 * (b4_array_size+4)  * sizeof(int16_t), fail)
@@ -335,7 +336,7 @@ static void free_picture(MpegEncContext *s, Picture *pic){
     av_freep(&pic->mc_mb_var);
     av_freep(&pic->mb_mean);
     av_freep(&pic->mbskip_table);
-    av_freep(&pic->qscale_table);
+    av_freep(&pic->qscale_table_base);
     av_freep(&pic->mb_type_base);
     av_freep(&pic->dct_coeff);
     av_freep(&pic->pan_scan);
diff --git a/libavcodec/mpegvideo.h b/libavcodec/mpegvideo.h
index 8cd20b7036..9a4912cc40 100644
--- a/libavcodec/mpegvideo.h
+++ b/libavcodec/mpegvideo.h
@@ -86,6 +86,7 @@ typedef struct Picture{
      * halfpel luma planes.
      */
     uint8_t *interpolated[3];
+    int8_t *qscale_table_base;
     int16_t (*motion_val_base[2])[2];
     uint32_t *mb_type_base;
 #define MB_TYPE_INTRA MB_TYPE_INTRA4x4 //default mb_type if there is just one type

From 84fce203bdfa39bfaa55571ac6627aa2320e646d Mon Sep 17 00:00:00 2001
From: John Stebbins <stebbins@jetheaddev.com>
Date: Mon, 4 Jul 2011 09:55:19 -0700
Subject: [PATCH 07/58] dca: set AVCodecContext frame_size for DTS audio

Set the frame size when decoding DTS audio.

This has the side effect of fixing the computation of timestamps for DTS-HD in compute_pkt_fields.  Since frame_size is
not currently set, the duration of a frame is being guessed based on the streams bitrate.  But for DTS-HD, the bitrate
currently used is the rate of the DTS core which is much different than the whole DTS-HD stream and leads to a wildly
inaccurate frame duration estimate.

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 49c7006c7e815d4330247624a9e6ba30e288cd02)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 06318968853ff8c628bbc75fb126483c08f22fd9)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/dca.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/dca.c b/libavcodec/dca.c
index 10bc956e98..493971384f 100644
--- a/libavcodec/dca.c
+++ b/libavcodec/dca.c
@@ -1224,6 +1224,7 @@ static int dca_decode_frame(AVCodecContext * avctx,
     //set AVCodec values with parsed data
     avctx->sample_rate = s->sample_rate;
     avctx->bit_rate = s->bit_rate;
+    avctx->frame_size = s->sample_blocks * 32;
 
     channels = s->prim_channels + !!s->lfe;
 

From 86849f097696cf5f54ab9ddf2ec170ad0cdf9b93 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= <clement.boesch@smartjog.com>
Date: Mon, 4 Jul 2011 10:19:46 +0200
Subject: [PATCH 08/58] mxfenc: fix ignored drop flag in binary timecode
 representation.

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 4d5e7ab5c48451404038706ef3113c9925a83087)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavformat/mxfenc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c
index ab381189c9..ab11df692e 100644
--- a/libavformat/mxfenc.c
+++ b/libavformat/mxfenc.c
@@ -1536,7 +1536,7 @@ static const uint8_t system_metadata_package_set_key[] = { 0x06,0x0E,0x2B,0x34,0
 static uint32_t ff_framenum_to_12m_time_code(unsigned frame, int drop, int fps)
 {
     return (0                                    << 31) | // color frame flag
-           (0                                    << 30) | // drop  frame flag
+           (drop                                 << 30) | // drop  frame flag
            ( ((frame % fps) / 10)                << 28) | // tens  of frames
            ( ((frame % fps) % 10)                << 24) | // units of frames
            (0                                    << 23) | // field phase (NTSC), b0 (PAL)

From 81d5ceff04985c71a5bc84f7c88a6487c0afaf61 Mon Sep 17 00:00:00 2001
From: Justin Ruggles <justin.ruggles@gmail.com>
Date: Wed, 22 Jun 2011 15:33:56 -0400
Subject: [PATCH 09/58] alsa: fallback to buffer_size/4 for period_size.

buffer_size/4 is the value used by aplay. This fixes output to null
devices, e.g. writing ALSA output to a file.
(cherry picked from commit 8bfd7f6a475225a0595bf657f8b99a8fffb461e4)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavdevice/alsa-audio-common.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavdevice/alsa-audio-common.c b/libavdevice/alsa-audio-common.c
index 38cb0de0ef..12195de93e 100644
--- a/libavdevice/alsa-audio-common.c
+++ b/libavdevice/alsa-audio-common.c
@@ -129,6 +129,8 @@ av_cold int ff_alsa_open(AVFormatContext *ctx, snd_pcm_stream_t mode,
     }
 
     snd_pcm_hw_params_get_period_size_min(hw_params, &period_size, NULL);
+    if (!period_size)
+        period_size = buffer_size / 4;
     res = snd_pcm_hw_params_set_period_size_near(h, hw_params, &period_size, NULL);
     if (res < 0) {
         av_log(ctx, AV_LOG_ERROR, "cannot set ALSA period size (%s)\n",

From 002e6d185c3febb60131be23907210f35fdf0cb8 Mon Sep 17 00:00:00 2001
From: Jindrich Makovicka <makovick@gmail.com>
Date: Thu, 30 Jun 2011 09:03:15 +0000
Subject: [PATCH 10/58] mpegts: fix Continuity Counter error detection

According to MPEG-TS specs, the continuity_counter shall not be
incremented when the adaptation_field_control of the packet
equals '00' or '10'.

Signed-off-by: Jindrich Makovicka <jindrich.makovicka@nangu.tv>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 8923cfa328e8eb565aebcfe8672b276fd1c19bf7)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavformat/mpegts.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c
index 59603384d2..93bb47d837 100644
--- a/libavformat/mpegts.c
+++ b/libavformat/mpegts.c
@@ -1140,7 +1140,7 @@ static int handle_packet(MpegTSContext *ts, const uint8_t *packet)
 {
     AVFormatContext *s = ts->stream;
     MpegTSFilter *tss;
-    int len, pid, cc, cc_ok, afc, is_start;
+    int len, pid, cc, expected_cc, cc_ok, afc, is_start;
     const uint8_t *p, *p_end;
     int64_t pos;
 
@@ -1158,7 +1158,8 @@ static int handle_packet(MpegTSContext *ts, const uint8_t *packet)
 
     /* continuity check (currently not used) */
     cc = (packet[3] & 0xf);
-    cc_ok = (tss->last_cc < 0) || ((((tss->last_cc + 1) & 0x0f) == cc));
+    expected_cc = (packet[3] & 0x10) ? (tss->last_cc + 1) & 0x0f : tss->last_cc;
+    cc_ok = (tss->last_cc < 0) || (expected_cc == cc);
     tss->last_cc = cc;
 
     /* skip adaptation field */

From 5ed9457260cadfcf350ae9aece476e2a5fbc490c Mon Sep 17 00:00:00 2001
From: Mans Rullgard <mans@mansr.com>
Date: Fri, 15 Jul 2011 22:38:10 +0100
Subject: [PATCH 11/58] aacps: skip some memcpy() if src and dst would be equal

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit e5902d60ce8f7cf10b6e87a57eec536b316261a3)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/aacps.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c
index fc124d1972..3cfd18d959 100644
--- a/libavcodec/aacps.c
+++ b/libavcodec/aacps.c
@@ -813,14 +813,17 @@ static void stereo_processing(PSContext *ps, float (*l)[32][2], float (*r)[32][2
     const float (*H_LUT)[8][4] = (PS_BASELINE || ps->icc_mode < 3) ? HA : HB;
 
     //Remapping
-    memcpy(H11[0][0], H11[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H11[0][0][0]));
-    memcpy(H11[1][0], H11[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H11[1][0][0]));
-    memcpy(H12[0][0], H12[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H12[0][0][0]));
-    memcpy(H12[1][0], H12[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H12[1][0][0]));
-    memcpy(H21[0][0], H21[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H21[0][0][0]));
-    memcpy(H21[1][0], H21[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H21[1][0][0]));
-    memcpy(H22[0][0], H22[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H22[0][0][0]));
-    memcpy(H22[1][0], H22[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H22[1][0][0]));
+    if (ps->num_env_old) {
+        memcpy(H11[0][0], H11[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H11[0][0][0]));
+        memcpy(H11[1][0], H11[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H11[1][0][0]));
+        memcpy(H12[0][0], H12[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H12[0][0][0]));
+        memcpy(H12[1][0], H12[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H12[1][0][0]));
+        memcpy(H21[0][0], H21[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H21[0][0][0]));
+        memcpy(H21[1][0], H21[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H21[1][0][0]));
+        memcpy(H22[0][0], H22[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H22[0][0][0]));
+        memcpy(H22[1][0], H22[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H22[1][0][0]));
+    }
+
     if (is34) {
         remap34(&iid_mapped, ps->iid_par, ps->nr_iid_par, ps->num_env, 1);
         remap34(&icc_mapped, ps->icc_par, ps->nr_icc_par, ps->num_env, 1);

From 0facc63ff6176a8d70280e8f7da26f77be81ee36 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafa=C3=ABl=20Carr=C3=A9?= <rafael.carre@gmail.com>
Date: Sat, 16 Jul 2011 11:41:08 -0400
Subject: [PATCH 12/58] Do not decode RV30 files if the extradata is too small

Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit 289c60001fb0a9a1d7a97c876d8a42b84c6874ac)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/rv30.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/rv30.c b/libavcodec/rv30.c
index 22a5dd5b64..215ef35414 100644
--- a/libavcodec/rv30.c
+++ b/libavcodec/rv30.c
@@ -256,6 +256,7 @@ static av_cold int rv30_decode_init(AVCodecContext *avctx)
     if(avctx->extradata_size - 8 < (r->rpr - 1) * 2){
         av_log(avctx, AV_LOG_ERROR, "Insufficient extradata - need at least %d bytes, got %d\n",
                6 + r->rpr * 2, avctx->extradata_size);
+        return EINVAL;
     }
     r->parse_slice_header = rv30_parse_slice_header;
     r->decode_intra_types = rv30_decode_intra_types;

From d2411412f15142bdf51e4677ef69a372cc6a10d4 Mon Sep 17 00:00:00 2001
From: Diego Biurrun <diego@biurrun.de>
Date: Thu, 21 Jul 2011 14:25:01 +0200
Subject: [PATCH 13/58] rv30: return AVERROR(EINVAL) instead of EINVAL

On some platforms EINVAL could be positive, ensure we return negative values.
(cherry picked from commit e5985185d2eda942333ebbb72bd7d043ffe40be7)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/rv30.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/rv30.c b/libavcodec/rv30.c
index 215ef35414..ada3b2aeaf 100644
--- a/libavcodec/rv30.c
+++ b/libavcodec/rv30.c
@@ -256,7 +256,7 @@ static av_cold int rv30_decode_init(AVCodecContext *avctx)
     if(avctx->extradata_size - 8 < (r->rpr - 1) * 2){
         av_log(avctx, AV_LOG_ERROR, "Insufficient extradata - need at least %d bytes, got %d\n",
                6 + r->rpr * 2, avctx->extradata_size);
-        return EINVAL;
+        return AVERROR(EINVAL);
     }
     r->parse_slice_header = rv30_parse_slice_header;
     r->decode_intra_types = rv30_decode_intra_types;

From e07086d8aed011544ee2fc71ebab867a38a6d6e7 Mon Sep 17 00:00:00 2001
From: Alex Converse <alex.converse@gmail.com>
Date: Fri, 29 Jul 2011 15:27:36 -0700
Subject: [PATCH 14/58] mxfdec: Include FF_INPUT_BUFFER_PADDING_SIZE when
 allocating extradata.

This prevents out of bounds reads when extradata is being decoded.
(cherry picked from commit 1f6f58d5855288492fc2640a9f1035c01c75d356)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavformat/mxfdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index 168fd8d69f..a601007aec 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -592,7 +592,7 @@ static int mxf_read_generic_descriptor(MXFDescriptor *descriptor, ByteIOContext
     default:
         /* Private uid used by SONY C0023S01.mxf */
         if (IS_KLV_KEY(uid, mxf_sony_mpeg4_extradata)) {
-            descriptor->extradata = av_malloc(size);
+            descriptor->extradata = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE);
             if (!descriptor->extradata)
                 return -1;
             descriptor->extradata_size = size;

From 7b733e4b7fd052170199ae29fa14e1e71ba95077 Mon Sep 17 00:00:00 2001
From: Baptiste Coudurier <baptiste.coudurier@gmail.com>
Date: Sat, 29 Jan 2011 17:05:42 -0800
Subject: [PATCH 15/58] libx264: do not set pic quality if no frame is output

Avoids uninitialized reads.

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 5caa2de19ece830e32c95731bc92a423d55cff0c)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/libx264.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c
index df7b2e806b..e247255ce5 100644
--- a/libavcodec/libx264.c
+++ b/libavcodec/libx264.c
@@ -127,7 +127,8 @@ static int X264_frame(AVCodecContext *ctx, uint8_t *buf,
     }
 
     x4->out_pic.key_frame = pic_out.b_keyframe;
-    x4->out_pic.quality   = (pic_out.i_qpplus1 - 1) * FF_QP2LAMBDA;
+    if (bufsize)
+        x4->out_pic.quality = (pic_out.i_qpplus1 - 1) * FF_QP2LAMBDA;
 
     return bufsize;
 }

From 36c196bca4be68f8ebf04bf2ac9b972d4f084b9f Mon Sep 17 00:00:00 2001
From: Dustin Brody <libav@parsoma.net>
Date: Thu, 11 Aug 2011 08:57:58 -0400
Subject: [PATCH 16/58] h264: notice memory allocation failure

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit bac3ab13ea6a9dd8853e79ef3eacf51d234c8774)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 59a22afa0b50b9037133a7bc26bdc5023e7e1df9)

Conflicts:

	libavcodec/h264.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/h264.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index e4654f0435..1f045a8be7 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -1840,7 +1840,10 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
         h->prev_interlaced_frame = 1;
 
         init_scan_tables(h);
-        ff_h264_alloc_tables(h);
+        if (ff_h264_alloc_tables(h) < 0) {
+            av_log(h->s.avctx, AV_LOG_ERROR, "Could not allocate memory for h264\n");
+            return AVERROR(ENOMEM);
+        }
 
         for(i = 1; i < s->avctx->thread_count; i++) {
             H264Context *c;

From f4a5a730d8e091534ab58f6b2557374b913815ab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= <Reimar.Doeffinger@gmx.de>
Date: Sat, 13 Aug 2011 11:58:18 +0200
Subject: [PATCH 17/58] VC-1: fix reading of custom PAR.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Custom PAR num/denum are in 1-256 range.

Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit 0e8696551414d4ea0aab2559f9475d1fe49d08f3)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/vc1.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c
index 7d00072b7a..1ed79af0bd 100644
--- a/libavcodec/vc1.c
+++ b/libavcodec/vc1.c
@@ -467,8 +467,8 @@ static int decode_sequence_header_adv(VC1Context *v, GetBitContext *gb)
         if(ar && ar < 14){
             v->s.avctx->sample_aspect_ratio = ff_vc1_pixel_aspect[ar];
         }else if(ar == 15){
-            w = get_bits(gb, 8);
-            h = get_bits(gb, 8);
+            w = get_bits(gb, 8) + 1;
+            h = get_bits(gb, 8) + 1;
             v->s.avctx->sample_aspect_ratio = (AVRational){w, h};
         }
         av_log(v->s.avctx, AV_LOG_DEBUG, "Aspect: %i:%i\n", v->s.avctx->sample_aspect_ratio.num, v->s.avctx->sample_aspect_ratio.den);

From 973bdafe05d051b6e83467c0c4ef548d2ea9a901 Mon Sep 17 00:00:00 2001
From: Luca Barbato <lu_zero@gentoo.org>
Date: Wed, 8 Jun 2011 14:32:07 +0000
Subject: [PATCH 18/58] flvenc: use int64_t to store offsets

Metadata currently is written only at the start of the file in normal
cases, when transcoding from a rtmp source metadata could be
written later and the offset recorded can exceed 32bit.

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 7f5bf4fbaf1f2142547321a16358f9871fabdcc6)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit fe3e7297fe56a383baca484dea2c0d603ae305f8)

Conflicts:

	libavformat/flvenc.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavformat/flvenc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/flvenc.c b/libavformat/flvenc.c
index c351117132..fa6a1d13d0 100644
--- a/libavformat/flvenc.c
+++ b/libavformat/flvenc.c
@@ -162,7 +162,7 @@ static int flv_write_header(AVFormatContext *s)
     AVCodecContext *audio_enc = NULL, *video_enc = NULL;
     int i;
     double framerate = 0.0;
-    int metadata_size_pos, data_size;
+    int64_t metadata_size_pos, data_size;
 
     for(i=0; i<s->nb_streams; i++){
         AVCodecContext *enc = s->streams[i]->codec;

From e7746f834a7b718f6459b08112bf0d6625362e42 Mon Sep 17 00:00:00 2001
From: Kostya Shishkov <kostya.shishkov@gmail.com>
Date: Wed, 17 Aug 2011 10:36:33 +0200
Subject: [PATCH 19/58] rv10/20: tell decoder to use edge emulation

This removes out-of-edge motion compensation artifacts (easily spotted green
blocks in avplay, gray blocks in transcoding), for example here:
http://samples.libav.org/samples/real/tv_watching_t1.rm

Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit 331971116d7d36743601bd2dc5384c5211d3bb48)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/rv10.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c
index b6ca031dfa..7b635b3a1c 100644
--- a/libavcodec/rv10.c
+++ b/libavcodec/rv10.c
@@ -454,6 +454,7 @@ static av_cold int rv10_decode_init(AVCodecContext *avctx)
     s->avctx= avctx;
     s->out_format = FMT_H263;
     s->codec_id= avctx->codec_id;
+    avctx->flags |= CODEC_FLAG_EMU_EDGE;
 
     s->orig_width = s->width  = avctx->coded_width;
     s->orig_height= s->height = avctx->coded_height;

From 34d2fe68601ed21c2bda20f473ca800dfc980970 Mon Sep 17 00:00:00 2001
From: Jeff Downs <heydowns@somuchpressure.net>
Date: Tue, 5 Jul 2011 14:21:54 -0400
Subject: [PATCH 20/58] h264: correct the check for invalid long term frame
 index in MMCO decode

The current check on MMCO parameters prohibits a "max long term frame index
plus 1" of 16 (frame idx of 15) for the "set max long term frame index" MMCO.
Fix this off-by-one error to allow the full range of legal values.

Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit 29a09eae9a827f4dbc9c4517180d8fe2ecef321a)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/h264_refs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c
index ed715c6b03..21c14d8d26 100644
--- a/libavcodec/h264_refs.c
+++ b/libavcodec/h264_refs.c
@@ -657,7 +657,7 @@ int ff_h264_decode_ref_pic_marking(H264Context *h, GetBitContext *gb){
                 }
                 if(opcode==MMCO_SHORT2LONG || opcode==MMCO_LONG2UNUSED || opcode==MMCO_LONG || opcode==MMCO_SET_MAX_LONG){
                     unsigned int long_arg= get_ue_golomb_31(gb);
-                    if(long_arg >= 32 || (long_arg >= 16 && !(opcode == MMCO_LONG2UNUSED && FIELD_PICTURE))){
+                    if(long_arg >= 32 || (long_arg >= 16 && !(opcode == MMCO_SET_MAX_LONG && long_arg == 16) && !(opcode == MMCO_LONG2UNUSED && FIELD_PICTURE))){
                         av_log(h->s.avctx, AV_LOG_ERROR, "illegal long ref in memory management control operation %d\n", opcode);
                         return -1;
                     }

From 01b9a6e447d8a3abd86498be26b1aef3479a1cc9 Mon Sep 17 00:00:00 2001
From: Jeff Downs <heydowns@somuchpressure.net>
Date: Wed, 6 Jul 2011 11:54:36 -0400
Subject: [PATCH 21/58] h264: correct implicit weight table computation for
 long ref pics

Correct computation of implicit weight tables when referencing pictures
that are marked for long reference.

Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit 87cf70eb237e7586cc7399627dafa1b980ec0b7d)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/h264.c | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index 1f045a8be7..06ded4d1f1 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -1448,15 +1448,17 @@ static void implicit_weight_table(H264Context *h, int field){
     for(ref0=ref_start; ref0 < ref_count0; ref0++){
         int poc0 = h->ref_list[0][ref0].poc;
         for(ref1=ref_start; ref1 < ref_count1; ref1++){
-            int poc1 = h->ref_list[1][ref1].poc;
-            int td = av_clip(poc1 - poc0, -128, 127);
-            int w= 32;
-            if(td){
-                int tb = av_clip(cur_poc - poc0, -128, 127);
-                int tx = (16384 + (FFABS(td) >> 1)) / td;
-                int dist_scale_factor = (tb*tx + 32) >> 8;
-                if(dist_scale_factor >= -64 && dist_scale_factor <= 128)
-                    w = 64 - dist_scale_factor;
+            int w = 32;
+            if (!h->ref_list[0][ref0].long_ref && !h->ref_list[1][ref1].long_ref) {
+                int poc1 = h->ref_list[1][ref1].poc;
+                int td = av_clip(poc1 - poc0, -128, 127);
+                if(td){
+                    int tb = av_clip(cur_poc - poc0, -128, 127);
+                    int tx = (16384 + (FFABS(td) >> 1)) / td;
+                    int dist_scale_factor = (tb*tx + 32) >> 8;
+                    if(dist_scale_factor >= -64 && dist_scale_factor <= 128)
+                        w = 64 - dist_scale_factor;
+                }
             }
             if(field<0){
                 h->implicit_weight[ref0][ref1][0]=

From 4ccb8f5b7b99ebaab5032f0d1b2b42906e3a14c5 Mon Sep 17 00:00:00 2001
From: Sean McGovern <gseanmcg@gmail.com>
Date: Mon, 25 Jul 2011 18:51:02 -0400
Subject: [PATCH 22/58] cpu detection: avoid a signed overflow

1<<31 overflows because 1 is signed, so force it to unsigned.

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 5938e02185430ca711106aaec9b5622dbf588af3)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/x86/cpuid.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/x86/cpuid.c b/libavcodec/x86/cpuid.c
index 1ed4d2e7e3..832b9909dc 100644
--- a/libavcodec/x86/cpuid.c
+++ b/libavcodec/x86/cpuid.c
@@ -98,7 +98,7 @@ int mm_support(void)
 
     if(max_ext_level >= 0x80000001){
         cpuid(0x80000001, eax, ebx, ecx, ext_caps);
-        if (ext_caps & (1<<31))
+        if (ext_caps & (1U<<31))
             rval |= FF_MM_3DNOW;
         if (ext_caps & (1<<30))
             rval |= FF_MM_3DNOWEXT;

From 9864518544f85ca8f0c2764fd66d728c47652bcc Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Wed, 7 Sep 2011 23:12:32 +0200
Subject: [PATCH 23/58] Fixed invalid access in wavpack decoder on corrupted
 extra bits sub-blocks.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit beefafda639dd53fc59c21d8a7cf8334da9a1062)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/wavpack.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
index 7358d29735..3963a6003d 100644
--- a/libavcodec/wavpack.c
+++ b/libavcodec/wavpack.c
@@ -368,7 +368,7 @@ static inline int wv_get_value_integer(WavpackContext *s, uint32_t *crc, int S)
     if(s->extra_bits){
         S <<= s->extra_bits;
 
-        if(s->got_extra_bits){
+        if(s->got_extra_bits && get_bits_left(&s->gb_extra_bits) >= s->extra_bits){
             S |= get_bits(&s->gb_extra_bits, s->extra_bits);
             *crc = *crc * 9 + (S&0xffff) * 3 + ((unsigned)S>>16);
         }

From 1edc513bcf78341b4614081812cc7b66cd84b465 Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Wed, 7 Sep 2011 22:02:55 +0200
Subject: [PATCH 24/58] Fixed invalid access in wavpack decoder on corrupted
 bitstream.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 55354b7de21e7bb4bbeb1c12ff55ea17f807c70c)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 4b84e995ad88f3bfa533c38218f2791c14fd72f0)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/wavpack.c | 49 +++++++++++++++++++++++++++++++-------------
 1 file changed, 35 insertions(+), 14 deletions(-)

diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
index 3963a6003d..906ccea766 100644
--- a/libavcodec/wavpack.c
+++ b/libavcodec/wavpack.c
@@ -275,7 +275,14 @@ static int wv_get_value(WavpackContext *ctx, GetBitContext *gb, int channel, int
             }
         }else{
             t = get_unary_0_33(gb);
-            if(t >= 2) t = get_bits(gb, t - 1) | (1 << (t-1));
+            if(t >= 2){
+                if(get_bits_left(gb) < t-1)
+                    goto error;
+                t = get_bits(gb, t - 1) | (1 << (t-1));
+            }else{
+                if(get_bits_left(gb) < 0)
+                    goto error;
+            }
             ctx->zeroes = t;
             if(ctx->zeroes){
                 memset(ctx->ch[0].median, 0, sizeof(ctx->ch[0].median));
@@ -286,24 +293,24 @@ static int wv_get_value(WavpackContext *ctx, GetBitContext *gb, int channel, int
         }
     }
 
-    if(get_bits_count(gb) >= ctx->data_size){
-        *last = 1;
-        return 0;
-    }
-
     if(ctx->zero){
         t = 0;
         ctx->zero = 0;
     }else{
         t = get_unary_0_33(gb);
-        if(get_bits_count(gb) >= ctx->data_size){
-            *last = 1;
-            return 0;
-        }
+        if(get_bits_left(gb) < 0)
+            goto error;
         if(t == 16) {
             t2 = get_unary_0_33(gb);
-            if(t2 < 2) t += t2;
-            else t += get_bits(gb, t2 - 1) | (1 << (t2 - 1));
+            if(t2 < 2){
+                if(get_bits_left(gb) < 0)
+                    goto error;
+                t += t2;
+            }else{
+                if(get_bits_left(gb) < t2 - 1)
+                    goto error;
+                t += get_bits(gb, t2 - 1) | (1 << (t2 - 1));
+            }
         }
 
         if(ctx->one){
@@ -343,9 +350,13 @@ static int wv_get_value(WavpackContext *ctx, GetBitContext *gb, int channel, int
     }
     if(!c->error_limit){
         ret = base + get_tail(gb, add);
+        if (get_bits_left(gb) <= 0)
+            goto error;
     }else{
         int mid = (base*2 + add + 1) >> 1;
         while(add > c->error_limit){
+            if(get_bits_left(gb) <= 0)
+                goto error;
             if(get_bits1(gb)){
                 add -= (mid - base);
                 base = mid;
@@ -359,6 +370,10 @@ static int wv_get_value(WavpackContext *ctx, GetBitContext *gb, int channel, int
     if(ctx->hybrid_bitrate)
         c->slow_level += wp_log2(ret) - LEVEL_DECAY(c->slow_level);
     return sign ? ~ret : ret;
+
+error:
+    *last = 1;
+    return 0;
 }
 
 static inline int wv_get_value_integer(WavpackContext *s, uint32_t *crc, int S)
@@ -559,7 +574,10 @@ static inline int wv_unpack_stereo(WavpackContext *s, GetBitContext *gb, void *d
         count++;
     }while(!last && count < s->max_samples);
 
-    s->samples_left -= count;
+    if (last)
+        s->samples_left = 0;
+    else
+        s->samples_left -= count;
     if(!s->samples_left){
         if(crc != s->CRC){
             av_log(s->avctx, AV_LOG_ERROR, "CRC error\n");
@@ -632,7 +650,10 @@ static inline int wv_unpack_mono(WavpackContext *s, GetBitContext *gb, void *dst
         count++;
     }while(!last && count < s->samples);
 
-    s->samples_left -= count;
+    if (last)
+        s->samples_left = 0;
+    else
+        s->samples_left -= count;
     if(!s->samples_left){
         if(crc != s->CRC){
             av_log(s->avctx, AV_LOG_ERROR, "CRC error\n");

From f5a8c4242eda7a41d8c93d9ddf352cb31830b06b Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Wed, 7 Sep 2011 22:17:39 +0200
Subject: [PATCH 25/58] Fixed invalid writes in wavpack decoder on corrupted
 bitstreams.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 0aedab03405849962b469277afe047aa2c61a87f)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 685940da4c843beb9283a21718cbd2fa4fa5d796)

Conflicts:

	libavcodec/wavpack.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/wavpack.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
index 906ccea766..968ffa600b 100644
--- a/libavcodec/wavpack.c
+++ b/libavcodec/wavpack.c
@@ -1009,7 +1009,7 @@ static int wavpack_decode_frame(AVCodecContext *avctx,
             int16_t *dst = (int16_t*)samples + samplecount * 2;
             int16_t *src = (int16_t*)samples + samplecount;
             int cnt = samplecount;
-            while(cnt--){
+            while(cnt-- > 0){
                 *--dst = *--src;
                 *--dst = *src;
             }
@@ -1018,7 +1018,7 @@ static int wavpack_decode_frame(AVCodecContext *avctx,
             int32_t *dst = (int32_t*)samples + samplecount * 2;
             int32_t *src = (int32_t*)samples + samplecount;
             int cnt = samplecount;
-            while(cnt--){
+            while(cnt-- > 0){
                 *--dst = *--src;
                 *--dst = *src;
             }
@@ -1027,7 +1027,7 @@ static int wavpack_decode_frame(AVCodecContext *avctx,
             float *dst = (float*)samples + samplecount * 2;
             float *src = (float*)samples + samplecount;
             int cnt = samplecount;
-            while(cnt--){
+            while(cnt-- > 0){
                 *--dst = *--src;
                 *--dst = *src;
             }

From 14fae6eab0e32af483d86fb7c2ac7e69e69d638e Mon Sep 17 00:00:00 2001
From: Alex Converse <alex.converse@gmail.com>
Date: Thu, 8 Sep 2011 11:02:43 -0700
Subject: [PATCH 26/58] wavpack: Check error codes rather than working around
 error conditions.

(cherry picked from commit dba2b63a98bdcac7bda1a8a2c48950518c075e17)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 5d4c065476da547fd1a8a604e3047e1b3a7a29d8)

Conflicts:

	libavcodec/wavpack.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/wavpack.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
index 968ffa600b..db83c44132 100644
--- a/libavcodec/wavpack.c
+++ b/libavcodec/wavpack.c
@@ -997,6 +997,9 @@ static int wavpack_decode_frame(AVCodecContext *avctx,
         else
             samplecount = wv_unpack_stereo(s, &s->gb, samples, SAMPLE_FMT_FLT);
 
+        if (samplecount < 0)
+            return -1;
+
     }else{
         if(avctx->sample_fmt == SAMPLE_FMT_S16)
             samplecount = wv_unpack_mono(s, &s->gb, samples, SAMPLE_FMT_S16);
@@ -1005,6 +1008,9 @@ static int wavpack_decode_frame(AVCodecContext *avctx,
         else
             samplecount = wv_unpack_mono(s, &s->gb, samples, SAMPLE_FMT_FLT);
 
+        if (samplecount < 0)
+            return -1;
+
         if(s->stereo && avctx->sample_fmt == SAMPLE_FMT_S16){
             int16_t *dst = (int16_t*)samples + samplecount * 2;
             int16_t *src = (int16_t*)samples + samplecount;

From 23999c45bc559d8ce56f1f0f07468b3180fd48a0 Mon Sep 17 00:00:00 2001
From: Alex Converse <alex.converse@gmail.com>
Date: Fri, 9 Sep 2011 13:24:19 -0700
Subject: [PATCH 27/58] indeo2: init_get_bits size in bits instead of bytes

(cherry picked from commit 68ca330cbd479111db9cb7649d7530ad59f04cc8)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/indeo2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c
index a3d6c80081..7060578044 100644
--- a/libavcodec/indeo2.c
+++ b/libavcodec/indeo2.c
@@ -165,7 +165,7 @@ static int ir2_decode_frame(AVCodecContext *avctx,
 #endif
     start = 48; /* hardcoded for now */
 
-    init_get_bits(&s->gb, buf + start, buf_size - start);
+    init_get_bits(&s->gb, buf + start, (buf_size - start) * 8);
 
     if (s->decode_delta) { /* intraframe */
         ir2_decode_plane(s, avctx->width, avctx->height,

From 7f163e5a8749845b8fb25337a1b7023a8d9d4bc0 Mon Sep 17 00:00:00 2001
From: Alex Converse <alex.converse@gmail.com>
Date: Fri, 9 Sep 2011 13:26:49 -0700
Subject: [PATCH 28/58] indeo2: fail if input buffer too small

(cherry picked from commit b7ce4f1d1c3add86ece7ca595ea6c4a10b471055)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/indeo2.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c
index 7060578044..819c94bea1 100644
--- a/libavcodec/indeo2.c
+++ b/libavcodec/indeo2.c
@@ -156,6 +156,13 @@ static int ir2_decode_frame(AVCodecContext *avctx,
         return -1;
     }
 
+    start = 48; /* hardcoded for now */
+
+    if (start >= buf_size) {
+        av_log(s->avctx, AV_LOG_ERROR, "input buffer size too small (%d)\n", buf_size);
+        return AVERROR_INVALIDDATA;
+    }
+
     s->decode_delta = buf[18];
 
     /* decide whether frame uses deltas or not */
@@ -163,7 +170,6 @@ static int ir2_decode_frame(AVCodecContext *avctx,
     for (i = 0; i < buf_size; i++)
         buf[i] = av_reverse[buf[i]];
 #endif
-    start = 48; /* hardcoded for now */
 
     init_get_bits(&s->gb, buf + start, (buf_size - start) * 8);
 

From 5394cdf7759ca12f0dde2c31483ecb5f3450afda Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Wed, 7 Sep 2011 21:43:03 +0200
Subject: [PATCH 29/58] Fixed segfault with wavpack decoder on corrupted
 decorrelation terms sub-blocks.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 8bfea4ab4e2cb32bc7bf6f697ee30a238c65d296)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/wavpack.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
index db83c44132..43f28a67d4 100644
--- a/libavcodec/wavpack.c
+++ b/libavcodec/wavpack.c
@@ -776,12 +776,13 @@ static int wavpack_decode_frame(AVCodecContext *avctx,
         }
         switch(id & WP_IDF_MASK){
         case WP_ID_DECTERMS:
-            s->terms = size;
-            if(s->terms > MAX_TERMS){
+            if(size > MAX_TERMS){
                 av_log(avctx, AV_LOG_ERROR, "Too many decorrelation terms\n");
+                s->terms = 0;
                 buf += ssize;
                 continue;
             }
+            s->terms = size;
             for(i = 0; i < s->terms; i++) {
                 s->decorr[s->terms - i - 1].value = (*buf & 0x1F) - 5;
                 s->decorr[s->terms - i - 1].delta = *buf >> 5;

From f79f3a946f91de62d879b73410d80fd4e55ea28f Mon Sep 17 00:00:00 2001
From: Kostya Shishkov <kostya.shishkov@gmail.com>
Date: Mon, 12 Sep 2011 09:40:42 +0200
Subject: [PATCH 30/58] smacker demuxer: handle possible av_realloc() failure.

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 47a8589f7bc69d1a29da1dfdfbd0dfa78a9e31fd)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 0b9b3570a3e3f3eff088ee061dbab165ff3eff2f)

Conflicts:

	libavformat/smacker.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavformat/smacker.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libavformat/smacker.c b/libavformat/smacker.c
index 0dcc286556..056e9dc22f 100644
--- a/libavformat/smacker.c
+++ b/libavformat/smacker.c
@@ -289,10 +289,15 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt)
             if(flags & 1) {
                 int size;
                 size = get_le32(s->pb) - 4;
+                uint8_t *tmpbuf;
+
                 frame_size -= size;
                 frame_size -= 4;
                 smk->curstream++;
-                smk->bufs[smk->curstream] = av_realloc(smk->bufs[smk->curstream], size);
+                tmpbuf = av_realloc(smk->bufs[smk->curstream], size);
+                if (!tmpbuf)
+                    return AVERROR(ENOMEM);
+                smk->bufs[smk->curstream] = tmpbuf;
                 smk->buf_sizes[smk->curstream] = size;
                 ret = get_buffer(s->pb, smk->bufs[smk->curstream], size);
                 if(ret != size)

From a97e82c48762cd0b1faa249cc0ec3469f149c5f0 Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Sat, 10 Sep 2011 00:32:12 +0200
Subject: [PATCH 31/58] Fixed size given to init_get_bits() in xan decoder.

(cherry picked from commit 393d5031c6aaaf8c2dda4eb5d676974c349fae85)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/xan.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/libavcodec/xan.c b/libavcodec/xan.c
index 3f6aa8cee5..9f20b7f280 100644
--- a/libavcodec/xan.c
+++ b/libavcodec/xan.c
@@ -88,17 +88,18 @@ static av_cold int xan_decode_init(AVCodecContext *avctx)
     return 0;
 }
 
-static int xan_huffman_decode(unsigned char *dest, const unsigned char *src,
-    int dest_len)
+static int xan_huffman_decode(unsigned char *dest, int dest_len,
+                              const unsigned char *src, int src_len)
 {
     unsigned char byte = *src++;
     unsigned char ival = byte + 0x16;
     const unsigned char * ptr = src + byte*2;
+    int ptr_len = src_len - 1 - byte*2;
     unsigned char val = ival;
     unsigned char *dest_end = dest + dest_len;
     GetBitContext gb;
 
-    init_get_bits(&gb, ptr, 0); // FIXME: no src size available
+    init_get_bits(&gb, ptr, ptr_len * 8);
 
     while ( val != 0x16 ) {
         val = src[val - 0x17 + get_bits1(&gb) * byte];
@@ -263,7 +264,8 @@ static void xan_wc3_decode_frame(XanContext *s) {
     vector_segment =    s->buf + AV_RL16(&s->buf[4]);
     imagedata_segment = s->buf + AV_RL16(&s->buf[6]);
 
-    xan_huffman_decode(opcode_buffer, huffman_segment, opcode_buffer_size);
+    xan_huffman_decode(opcode_buffer, opcode_buffer_size,
+                       huffman_segment, s->size - (huffman_segment - s->buf) );
 
     if (imagedata_segment[0] == 2)
         xan_unpack(s->buffer2, &imagedata_segment[1], s->buffer2_size);

From 44925239383d54af3d329fb5b12345f6209e8e62 Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Sun, 11 Sep 2011 19:17:40 +0200
Subject: [PATCH 32/58] ape demuxer: fix segfault on memory allocation failure.

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 273aab99bf7be2bcda95dd64101c2317ee0fcb99)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 4ee014309c377f7cfaa9578a393864ae500136f6)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavformat/ape.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/ape.c b/libavformat/ape.c
index 0ebc307668..56a9c78a39 100644
--- a/libavformat/ape.c
+++ b/libavformat/ape.c
@@ -263,6 +263,8 @@ static int ape_read_header(AVFormatContext * s, AVFormatParameters * ap)
 
     if (ape->seektablelength > 0) {
         ape->seektable = av_malloc(ape->seektablelength);
+        if (!ape->seektable)
+            return AVERROR(ENOMEM);
         for (i = 0; i < ape->seektablelength / sizeof(uint32_t); i++)
             ape->seektable[i] = get_le32(pb);
     }

From 6f70111e817ea83cfad8cc9be313c2c05cb2d28b Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Mon, 12 Sep 2011 20:50:13 +0200
Subject: [PATCH 33/58] Check for invalid packet size in the smacker demuxer.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit e055932f5636a82275837968eea9c8fcb5bca474)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavformat/smacker.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/smacker.c b/libavformat/smacker.c
index 056e9dc22f..a916a7bdf1 100644
--- a/libavformat/smacker.c
+++ b/libavformat/smacker.c
@@ -306,6 +306,8 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt)
             }
             flags >>= 1;
         }
+        if (frame_size < 0)
+            return AVERROR_INVALIDDATA;
         if (av_new_packet(pkt, frame_size + 768))
             return AVERROR(ENOMEM);
         if(smk->frm_size[smk->cur_frame] & 1)

From 9f28eede5e56033a6f5a4fa4bece97111701d2db Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Mon, 12 Sep 2011 20:50:34 +0200
Subject: [PATCH 34/58] Fixed off by one packet size allocation in the smacker
 demuxer.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit a92d0fa5d234582583d41b67dddecffc2c819573)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavformat/smacker.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/smacker.c b/libavformat/smacker.c
index a916a7bdf1..5cefe7bb4e 100644
--- a/libavformat/smacker.c
+++ b/libavformat/smacker.c
@@ -308,7 +308,7 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt)
         }
         if (frame_size < 0)
             return AVERROR_INVALIDDATA;
-        if (av_new_packet(pkt, frame_size + 768))
+        if (av_new_packet(pkt, frame_size + 769))
             return AVERROR(ENOMEM);
         if(smk->frm_size[smk->cur_frame] & 1)
             palchange |= 2;

From 5d6fe49ac91b42436616c4f2aad650231646b51a Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Mon, 12 Sep 2011 23:46:49 +0200
Subject: [PATCH 35/58] Check and propagate errors when VLC trees cannot be
 built in smacker decoder.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 9676ffba8346791f494451e68d2a3b37a2918a9b)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/smacker.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
index 1d85f68907..1af206f10e 100644
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -133,10 +133,10 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx
             return -1;
         }
         b1 = get_bits_count(gb);
-        i1 = get_vlc2(gb, ctx->v1->table, SMKTREE_BITS, 3);
+        i1 = ctx->v1->table ? get_vlc2(gb, ctx->v1->table, SMKTREE_BITS, 3) : 0;
         b1 = get_bits_count(gb) - b1;
         b2 = get_bits_count(gb);
-        i2 = get_vlc2(gb, ctx->v2->table, SMKTREE_BITS, 3);
+        i2 = ctx->v2->table ? get_vlc2(gb, ctx->v2->table, SMKTREE_BITS, 3) : 0;
         b2 = get_bits_count(gb) - b2;
         val = ctx->recode1[i1] | (ctx->recode2[i2] << 8);
         if(val == ctx->escapes[0]) {
@@ -289,7 +289,8 @@ static int decode_header_trees(SmackVContext *smk) {
         smk->mmap_tbl[0] = 0;
         smk->mmap_last[0] = smk->mmap_last[1] = smk->mmap_last[2] = 1;
     } else {
-        smacker_decode_header_tree(smk, &gb, &smk->mmap_tbl, smk->mmap_last, mmap_size);
+        if (smacker_decode_header_tree(smk, &gb, &smk->mmap_tbl, smk->mmap_last, mmap_size))
+            return -1;
     }
     if(!get_bits1(&gb)) {
         av_log(smk->avctx, AV_LOG_INFO, "Skipping MCLR tree\n");
@@ -297,7 +298,8 @@ static int decode_header_trees(SmackVContext *smk) {
         smk->mclr_tbl[0] = 0;
         smk->mclr_last[0] = smk->mclr_last[1] = smk->mclr_last[2] = 1;
     } else {
-        smacker_decode_header_tree(smk, &gb, &smk->mclr_tbl, smk->mclr_last, mclr_size);
+        if (smacker_decode_header_tree(smk, &gb, &smk->mclr_tbl, smk->mclr_last, mclr_size))
+            return -1;
     }
     if(!get_bits1(&gb)) {
         av_log(smk->avctx, AV_LOG_INFO, "Skipping FULL tree\n");
@@ -305,7 +307,8 @@ static int decode_header_trees(SmackVContext *smk) {
         smk->full_tbl[0] = 0;
         smk->full_last[0] = smk->full_last[1] = smk->full_last[2] = 1;
     } else {
-        smacker_decode_header_tree(smk, &gb, &smk->full_tbl, smk->full_last, full_size);
+        if (smacker_decode_header_tree(smk, &gb, &smk->full_tbl, smk->full_last, full_size))
+            return -1;
     }
     if(!get_bits1(&gb)) {
         av_log(smk->avctx, AV_LOG_INFO, "Skipping TYPE tree\n");
@@ -313,7 +316,8 @@ static int decode_header_trees(SmackVContext *smk) {
         smk->type_tbl[0] = 0;
         smk->type_last[0] = smk->type_last[1] = smk->type_last[2] = 1;
     } else {
-        smacker_decode_header_tree(smk, &gb, &smk->type_tbl, smk->type_last, type_size);
+        if (smacker_decode_header_tree(smk, &gb, &smk->type_tbl, smk->type_last, type_size))
+            return -1;
     }
 
     return 0;
@@ -523,8 +527,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
         return -1;
     }
 
-    decode_header_trees(c);
-
+    if (decode_header_trees(c))
+        return -1;
 
     return 0;
 }

From 117e04cdfa814d2ce4ce46dd925ec5257614d265 Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Mon, 12 Sep 2011 23:49:36 +0200
Subject: [PATCH 36/58] Check for invalid VLC value in smacker decoder.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 6489455495fc5bfbebcfe3f57e5d4fdd6a781091)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/smacker.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
index 1af206f10e..0424481f19 100644
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -138,6 +138,8 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx
         b2 = get_bits_count(gb);
         i2 = ctx->v2->table ? get_vlc2(gb, ctx->v2->table, SMKTREE_BITS, 3) : 0;
         b2 = get_bits_count(gb) - b2;
+        if (i1 < 0 || i2 < 0)
+            return -1;
         val = ctx->recode1[i1] | (ctx->recode2[i2] << 8);
         if(val == ctx->escapes[0]) {
             ctx->last[0] = hc->current;

From 19a99b6e6bd91d9f177ddf69602106c89698f01d Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Tue, 13 Sep 2011 23:24:56 +0200
Subject: [PATCH 37/58] smacker: fix a few off by 1 errors
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

stereo & 16bit is untested due to lack of samples

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 5166376f24545207607f61ed8ff4e1b0572ff320)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 78cd2e18a4aa2835f6d04cf145121fc82099c1a5)

Conflicts:

	libavcodec/smacker.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/smacker.c   |   8 +--
 tests/ref/fate/smacker | 160 ++++++++++++++++++++---------------------
 2 files changed, 84 insertions(+), 84 deletions(-)

diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
index 0424481f19..e2c1a8776c 100644
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -625,9 +625,9 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
     if(bits) { //decode 16-bit data
         for(i = stereo; i >= 0; i--)
             pred[i] = bswap_16(get_bits(&gb, 16));
-        for(i = 0; i < stereo; i++)
+        for(i = 0; i <= stereo; i++)
             *samples++ = pred[i];
-        for(i = 0; i < unp_size / 2; i++) {
+        for(; i < unp_size / 2; i++) {
             if(i & stereo) {
                 if(vlc[2].table)
                     res = get_vlc2(&gb, vlc[2].table, SMKTREE_BITS, 3);
@@ -659,9 +659,9 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
     } else { //8-bit data
         for(i = stereo; i >= 0; i--)
             pred[i] = get_bits(&gb, 8);
-        for(i = 0; i < stereo; i++)
+        for(i = 0; i <= stereo; i++)
             *samples8++ = pred[i];
-        for(i = 0; i < unp_size; i++) {
+        for(; i < unp_size; i++) {
             if(i & stereo){
                 if(vlc[1].table)
                     res = get_vlc2(&gb, vlc[1].table, SMKTREE_BITS, 3);
diff --git a/tests/ref/fate/smacker b/tests/ref/fate/smacker
index 85c4a9817c..df88a4ae8a 100644
--- a/tests/ref/fate/smacker
+++ b/tests/ref/fate/smacker
@@ -1,5 +1,5 @@
 0, 0, 192000, 0x8926d7fc
-1, 0, 47240, 0xad778a78
+1, 0, 47240, 0x9974897c
 0, 6390, 192000, 0x2506d384
 0, 12780, 192000, 0x9a8dc93a
 0, 19170, 192000, 0x4badb7f2
@@ -15,163 +15,163 @@
 0, 83070, 192000, 0x1a3d7971
 0, 89460, 192000, 0xa1a65bd5
 0, 95850, 192000, 0x344957b9
-1, 96408, 3128, 0x4c1564ae
+1, 96408, 3128, 0x7e4064b4
 0, 102240, 192000, 0xe23b5f4e
-1, 102792, 3128, 0x34553309
+1, 102792, 3128, 0x80883301
 0, 108630, 192000, 0xb5c2710b
-1, 109176, 3136, 0xb474d246
+1, 109176, 3136, 0x2ad2d341
 0, 115020, 192000, 0x7a25938f
-1, 115576, 3128, 0x87b868ea
+1, 115576, 3128, 0xda8468e3
 0, 121410, 192000, 0x0a84e4c9
-1, 121959, 3136, 0xf1516dc3
+1, 121959, 3136, 0x9d6f6cdf
 0, 127800, 192000, 0x94209b0d
-1, 128359, 3128, 0x867563cb
+1, 128359, 3128, 0x1aaa64b5
 0, 134190, 192000, 0xf940e51f
-1, 134743, 3128, 0x5200728c
+1, 134743, 3128, 0x9182728b
 0, 140580, 192000, 0xb9fdec42
-1, 141127, 3136, 0xeda118a0
+1, 141127, 3136, 0xfa8e17b3
 0, 146970, 192000, 0x7b04a376
-1, 147527, 3128, 0x03e2c1d6
+1, 147527, 3128, 0x0dc3c1cf
 0, 153360, 192000, 0x5fe0026b
-1, 153910, 3136, 0xc3e862b6
+1, 153910, 3136, 0x0109639d
 0, 159750, 192000, 0x775aca39
-1, 160310, 3128, 0x937a13be
+1, 160310, 3128, 0x6d8a12d9
 0, 166140, 192000, 0xae14fb32
-1, 166694, 3128, 0x7b1b9577
+1, 166694, 3128, 0x4b9a9597
 0, 172530, 192000, 0x661106e5
-1, 173078, 3136, 0x042c7113
+1, 173078, 3136, 0x9112710e
 0, 178920, 192000, 0xe8658dbf
-1, 179478, 3128, 0xac48f451
+1, 179478, 3128, 0x8cccf522
 0, 185310, 192000, 0x5359f0f9
-1, 185861, 3128, 0x018fbbe9
+1, 185861, 3128, 0x6594bbf3
 0, 191700, 192000, 0xc1ec80f4
-1, 192245, 3136, 0xc62aa7ce
+1, 192245, 3136, 0xd878a7d5
 0, 198090, 192000, 0xca53806b
-1, 198645, 3128, 0x106e3924
+1, 198645, 3128, 0xaa6e3905
 0, 204480, 192000, 0xf0766b2e
-1, 205029, 3136, 0xfeb82ecc
+1, 205029, 3136, 0x2a062e04
 0, 210870, 192000, 0x39962da8
-1, 211429, 3128, 0x7e7c005b
+1, 211429, 3128, 0x84e4006a
 0, 217260, 192000, 0x4171c37f
-1, 217812, 3128, 0x949d3560
+1, 217812, 3128, 0x85183633
 0, 223650, 192000, 0x3abf3b46
-1, 224196, 3136, 0x02bd4aff
+1, 224196, 3136, 0xb62d4b02
 0, 230040, 192000, 0xecc68313
-1, 230596, 3128, 0x4aaf4715
+1, 230596, 3128, 0xe209462a
 0, 236430, 192000, 0xea339baf
-1, 236980, 3136, 0x2958825f
+1, 236980, 3136, 0x57c4824b
 0, 242820, 192000, 0x616b8f16
-1, 243380, 3128, 0x99a5914d
+1, 243380, 3128, 0x664a9163
 0, 249210, 192000, 0xf77a8581
-1, 249763, 3128, 0xe67277a4
+1, 249763, 3128, 0xb4287874
 0, 255600, 192000, 0xb315678b
-1, 256147, 3136, 0x11296973
+1, 256147, 3136, 0xde626885
 0, 261990, 192000, 0x0a4a5218
-1, 262547, 3128, 0x5cc362f7
+1, 262547, 3128, 0x919763c2
 0, 268380, 192000, 0x98802be4
-1, 268931, 3128, 0x0c5e6586
+1, 268931, 3128, 0xa4f664e1
 0, 274770, 192000, 0xa2f0fd94
-1, 275314, 3136, 0xe940b0f9
+1, 275314, 3136, 0xa0bab0d4
 0, 281160, 192000, 0x6671c84f
-1, 281714, 3128, 0x2c9292cc
+1, 281714, 3128, 0xe938939c
 0, 287550, 192000, 0x38327e31
-1, 288098, 3136, 0xa807c096
+1, 288098, 3136, 0x3679bfc7
 0, 293940, 192000, 0xb85d3e08
-1, 294498, 3128, 0x9d2254d8
+1, 294498, 3128, 0xc96c55c3
 0, 300330, 192000, 0xdc69eba9
-1, 300882, 3128, 0xe68015b0
+1, 300882, 3128, 0x119114d6
 0, 306720, 192000, 0x8955a0b3
-1, 307265, 3136, 0x65d58029
+1, 307265, 3136, 0x42f3800f
 0, 313110, 192000, 0x714a548b
-1, 313665, 3128, 0xcffcc48c
+1, 313665, 3128, 0x4250c4ad
 0, 319500, 192000, 0xc0471de9
-1, 320049, 3136, 0x8c704944
+1, 320049, 3136, 0x5cdd4925
 0, 325890, 192000, 0x2e16e039
-1, 326449, 3128, 0x1459231d
+1, 326449, 3128, 0xa4c12360
 0, 332280, 192000, 0x9fa4b033
-1, 332833, 3128, 0x7dde4839
+1, 332833, 3128, 0x849f48de
 0, 338670, 192000, 0x4a0f9402
-1, 339216, 3136, 0xbb6890e2
+1, 339216, 3136, 0x6acd8ff9
 0, 345060, 192000, 0x1f3e6843
-1, 345616, 3128, 0xcd9a8524
+1, 345616, 3128, 0xb2758556
 0, 351450, 192000, 0x31774850
-1, 352000, 3128, 0xa244fc31
+1, 352000, 3128, 0x10f2fcb1
 0, 357840, 192000, 0x9d5336a2
-1, 358384, 3136, 0x504e2bd9
+1, 358384, 3136, 0xf0f02b23
 0, 364230, 192000, 0xf7de27a2
-1, 364784, 3128, 0x655858d8
+1, 364784, 3128, 0x64f759c6
 0, 370620, 192000, 0x98c717ce
-1, 371167, 3136, 0x46027610
+1, 371167, 3136, 0x7ec075e3
 0, 377010, 192000, 0x615b10b8
-1, 377567, 3128, 0x4192d5e3
+1, 377567, 3128, 0xf981d51e
 0, 383400, 192000, 0xd5bc0e7e
-1, 383951, 3128, 0x21d2e7fe
+1, 383951, 3128, 0xc622e8b9
 0, 389790, 192000, 0xd5bc0e7e
-1, 390335, 3136, 0x7c93e329
+1, 390335, 3136, 0xf632e2f8
 0, 396180, 192000, 0xd5bc0e7e
-1, 396735, 3128, 0xa67718c0
+1, 396735, 3128, 0xda561864
 0, 402570, 192000, 0xd5bc0e7e
-1, 403118, 3136, 0x9bb6e8a3
+1, 403118, 3136, 0x14d2e888
 0, 408960, 192000, 0xd5bc0e7e
-1, 409518, 3128, 0x0933b7a6
+1, 409518, 3128, 0x015bb869
 0, 415350, 192000, 0xd5bc0e7e
-1, 415902, 3128, 0x07f1fb57
+1, 415902, 3128, 0xedb1fb62
 0, 421740, 192000, 0xd5bc0e7e
-1, 422286, 3136, 0x8a050cfd
+1, 422286, 3136, 0xe0560c41
 0, 428130, 192000, 0xd5bc0e7e
-1, 428686, 3128, 0xdb773c0b
+1, 428686, 3128, 0x14773c9a
 0, 434520, 192000, 0xd5bc0e7e
-1, 435069, 3136, 0xd1281c53
+1, 435069, 3136, 0x850f1c82
 0, 440910, 192000, 0xd5bc0e7e
-1, 441469, 3128, 0x9f395324
+1, 441469, 3128, 0xb0bd5347
 0, 447300, 192000, 0xd5bc0e7e
-1, 447853, 3128, 0x5f13edec
+1, 447853, 3128, 0x8f82edbf
 0, 453690, 192000, 0xd5bc0e7e
-1, 454237, 3136, 0x871cbecf
+1, 454237, 3136, 0x493abee2
 0, 460080, 192000, 0xd5bc0e7e
-1, 460637, 3128, 0x799eff3e
+1, 460637, 3128, 0xf5daff3f
 0, 466470, 192000, 0xd5bc0e7e
-1, 467020, 3128, 0x3f902762
+1, 467020, 3128, 0x78ad2690
 0, 472860, 192000, 0xd5bc0e7e
-1, 473404, 3136, 0x29f8bb04
+1, 473404, 3136, 0x490ebafc
 0, 479250, 192000, 0xd5bc0e7e
-1, 479804, 3128, 0xf3523ee9
+1, 479804, 3128, 0x70333fd2
 0, 485640, 192000, 0xd5bc0e7e
-1, 486188, 3136, 0x4405c435
+1, 486188, 3136, 0x8cb1c350
 0, 492030, 192000, 0xd5bc0e7e
-1, 492588, 3128, 0x892957cb
+1, 492588, 3128, 0x8bd057cb
 0, 498420, 192000, 0xd5bc0e7e
-1, 498971, 3128, 0xdf483dbd
+1, 498971, 3128, 0x161b3dbc
 0, 504810, 192000, 0xd5bc0e7e
-1, 505355, 3136, 0x5e8ab797
+1, 505355, 3136, 0xb47fb88a
 0, 511200, 192000, 0xd5bc0e7e
-1, 511755, 3128, 0x92e13820
+1, 511755, 3128, 0x474b381e
 0, 517590, 192000, 0xd5bc0e7e
-1, 518139, 3136, 0xfde719b6
+1, 518139, 3136, 0x07c519bb
 0, 523980, 192000, 0xd5bc0e7e
-1, 524539, 3128, 0x442f17ae
+1, 524539, 3128, 0x15b916c8
 0, 530370, 192000, 0xd5bc0e7e
-1, 530922, 3128, 0x011af61f
+1, 530922, 3128, 0x0ed7f6fb
 0, 536760, 192000, 0xd5bc0e7e
-1, 537306, 3136, 0x4e3e3a6d
+1, 537306, 3136, 0x54d6397b
 0, 543150, 192000, 0xd5bc0e7e
-1, 543706, 3128, 0xc11242b9
+1, 543706, 3128, 0x437242bb
 0, 549540, 192000, 0xd5bc0e7e
-1, 550090, 3128, 0x01415b59
+1, 550090, 3128, 0x38f05c4d
 0, 555930, 192000, 0xd5bc0e7e
-1, 556473, 3136, 0x302e0e55
+1, 556473, 3136, 0x5d000e59
 0, 562320, 192000, 0xd5bc0e7e
-1, 562873, 3128, 0x20522d04
+1, 562873, 3128, 0xdeab2d04
 0, 568710, 192000, 0xd5bc0e7e
-1, 569257, 3136, 0x316a697d
+1, 569257, 3136, 0x77de6880
 0, 575100, 192000, 0xd5bc0e7e
-1, 575657, 3128, 0x6d75ee27
+1, 575657, 3128, 0xbc87ef25
 0, 581490, 192000, 0xd5bc0e7e
-1, 582041, 3128, 0xcb008ae8
+1, 582041, 3128, 0xc1638ade
 0, 587880, 192000, 0xd5bc0e7e
-1, 588424, 3136, 0xd2664b51
+1, 588424, 3136, 0xcfb64a5f
 0, 594270, 192000, 0xd5bc0e7e
-1, 594824, 3128, 0xdfcab728
+1, 594824, 3128, 0x90b1b826
 0, 600660, 192000, 0xd5bc0e7e
 1, 601208, 3136, 0x00000000
 0, 607050, 192000, 0xd5bc0e7e

From 23f622de60d66b6e47c28493089566becd635426 Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Sun, 11 Sep 2011 23:26:12 +0200
Subject: [PATCH 38/58] oggdec: fix out of bound write in the ogg demuxer

Between ogg_save() and ogg_restore() calls, the number of streams
could have been reduced.

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 0e7efb9d23c3641d50caa288818e8c27647ce74d)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit a3d471e500674c31fa4f52a62ef789d5e7fdbd3c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavformat/oggdec.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
index 76b28ab212..bd00d1a4e6 100644
--- a/libavformat/oggdec.c
+++ b/libavformat/oggdec.c
@@ -94,14 +94,24 @@ ogg_restore (AVFormatContext * s, int discard)
     ogg->state = ost->next;
 
     if (!discard){
+        struct ogg_stream *old_streams = ogg->streams;
+
         for (i = 0; i < ogg->nstreams; i++)
             av_free (ogg->streams[i].buf);
 
         url_fseek (bc, ost->pos, SEEK_SET);
         ogg->curidx = ost->curidx;
         ogg->nstreams = ost->nstreams;
-        memcpy(ogg->streams, ost->streams,
-               ost->nstreams * sizeof(*ogg->streams));
+        ogg->streams = av_realloc (ogg->streams,
+                                   ogg->nstreams * sizeof (*ogg->streams));
+
+        if (ogg->streams) {
+            memcpy(ogg->streams, ost->streams,
+                   ost->nstreams * sizeof(*ogg->streams));
+        } else {
+            av_free(old_streams);
+            ogg->nstreams = 0;
+        }
     }
 
     av_free (ost);

From 7cd7461ec8013a381938b52568f9eb08ab3d1720 Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Sun, 18 Sep 2011 00:03:08 +0200
Subject: [PATCH 39/58] rv10: Reject slices that does not have the same type as
 the first one
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This prevents crashes with some corrupted bitstreams.

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 4a29b471869353c3077fb4b25b6518eb1047afb7)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 28d948ac44e38e8bec2f6268ccf4747ff4d992a9)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/rv10.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c
index 7b635b3a1c..af0d16c022 100644
--- a/libavcodec/rv10.c
+++ b/libavcodec/rv10.c
@@ -559,6 +559,11 @@ static int rv10_decode_packet(AVCodecContext *avctx,
         if(MPV_frame_start(s, avctx) < 0)
             return -1;
         ff_er_frame_start(s);
+    } else {
+        if (s->current_picture_ptr->pict_type != s->pict_type) {
+            av_log(s->avctx, AV_LOG_ERROR, "Slice type mismatch\n");
+            return -1;
+        }
     }
 
     dprintf(avctx, "qscale=%d\n", s->qscale);

From 35f1888585e0ffa2f1334cf92fc0a16fb4a113a6 Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Sat, 17 Sep 2011 23:43:58 +0200
Subject: [PATCH 40/58] rv34: Avoid NULL dereference on corrupted bitstream
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

rv34_decode_slice() can return without allocating any pictures.

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d0f6ab0298f2309c6104626787ed73416298b019)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/rv34.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c
index 88652f9fe1..a1dc799c3e 100644
--- a/libavcodec/rv34.c
+++ b/libavcodec/rv34.c
@@ -1494,7 +1494,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
             break;
     }
 
-    if(last){
+    if(last && s->current_picture_ptr){
         if(r->loop_filter)
             r->loop_filter(r, s->mb_height - 1);
         ff_er_frame_end(s);

From d5551d788444872deb62101b7a52e335c87db69a Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Sat, 17 Sep 2011 16:56:30 +0200
Subject: [PATCH 41/58] rv34: Fix potential overreads
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit b4ed3d78cb6c41c9d3ee5918c326ab925edd6a89)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit b4a1bf0bbf53cc6a736a608732b2ac1de5c2447b)

Conflicts:

	libavcodec/rv34.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/rv34.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c
index a1dc799c3e..8d5f4f7e3e 100644
--- a/libavcodec/rv34.c
+++ b/libavcodec/rv34.c
@@ -1439,6 +1439,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
         slice_count = (*buf++) + 1;
         slices_hdr = buf + 4;
         buf += 8 * slice_count;
+        buf_size -= 1 + 8 * slice_count;
     }else
         slice_count = avctx->slice_count;
 
@@ -1459,7 +1460,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
     if(   (avctx->skip_frame >= AVDISCARD_NONREF && si.type==FF_B_TYPE)
        || (avctx->skip_frame >= AVDISCARD_NONKEY && si.type!=FF_I_TYPE)
        ||  avctx->skip_frame >= AVDISCARD_ALL)
-        return buf_size;
+        return avpkt->size;
     /* skip everything if we are in a hurry>=5 */
     if(avctx->hurry_up>=5)
         return buf_size;
@@ -1511,7 +1512,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
         }
         s->current_picture_ptr= NULL; //so we can detect if frame_end wasnt called (find some nicer solution...)
     }
-    return buf_size;
+    return avpkt->size;
 }
 
 av_cold int ff_rv34_decode_end(AVCodecContext *avctx)

From da0900e8bba8d39b022add6eb8cd1857a344c405 Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Mon, 19 Sep 2011 22:48:53 +0200
Subject: [PATCH 42/58] rv34: Check for invalid slice offsets
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 4cc7732386eb36661ed22d1200339b38a5fa60bc)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 2bbb142a140173e1870017b66c439f4d430a6f67)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/rv34.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c
index 8d5f4f7e3e..e6fa3cfd8f 100644
--- a/libavcodec/rv34.c
+++ b/libavcodec/rv34.c
@@ -1444,8 +1444,9 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
         slice_count = avctx->slice_count;
 
     //parse first slice header to check whether this frame can be decoded
-    if(get_slice_offset(avctx, slices_hdr, 0) > buf_size){
-        av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n");
+    if(get_slice_offset(avctx, slices_hdr, 0) < 0 ||
+       get_slice_offset(avctx, slices_hdr, 0) > buf_size){
+        av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n");
         return -1;
     }
     init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), buf_size-get_slice_offset(avctx, slices_hdr, 0));
@@ -1473,8 +1474,8 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
         else
             size= get_slice_offset(avctx, slices_hdr, i+1) - offset;
 
-        if(offset > buf_size){
-            av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n");
+        if(offset < 0 || offset > buf_size || size < 0){
+            av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n");
             break;
         }
 

From b99366faef3a1ed4a34c9b37107f2c8c24702813 Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Sun, 11 Sep 2011 19:17:45 +0200
Subject: [PATCH 43/58] vmd: fix segfaults on corruped streams

Signed-off-by: Janne Grunau <janne-libav@jannau.net>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 494cfacdb9ba3f0549e37f76b3a2f86a7aeeac3c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/vmdav.c | 104 ++++++++++++++++++++++++++++++++++-----------
 1 file changed, 80 insertions(+), 24 deletions(-)

diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c
index 4914d2a09a..2c97d3f707 100644
--- a/libavcodec/vmdav.c
+++ b/libavcodec/vmdav.c
@@ -72,9 +72,11 @@ typedef struct VmdVideoContext {
 #define QUEUE_SIZE 0x1000
 #define QUEUE_MASK 0x0FFF
 
-static void lz_unpack(const unsigned char *src, unsigned char *dest, int dest_len)
+static void lz_unpack(const unsigned char *src, int src_len,
+                      unsigned char *dest, int dest_len)
 {
     const unsigned char *s;
+    unsigned int s_len;
     unsigned char *d;
     unsigned char *d_end;
     unsigned char queue[QUEUE_SIZE];
@@ -87,13 +89,16 @@ static void lz_unpack(const unsigned char *src, unsigned char *dest, int dest_le
     unsigned int i, j;
 
     s = src;
+    s_len = src_len;
     d = dest;
     d_end = d + dest_len;
     dataleft = AV_RL32(s);
-    s += 4;
+    s += 4; s_len -= 4;
     memset(queue, 0x20, QUEUE_SIZE);
+    if (s_len < 4)
+        return;
     if (AV_RL32(s) == 0x56781234) {
-        s += 4;
+        s += 4; s_len -= 4;
         qpos = 0x111;
         speclen = 0xF + 3;
     } else {
@@ -101,32 +106,41 @@ static void lz_unpack(const unsigned char *src, unsigned char *dest, int dest_le
         speclen = 100;  /* no speclen */
     }
 
-    while (dataleft > 0) {
-        tag = *s++;
+    while (dataleft > 0 && s_len > 0) {
+        tag = *s++; s_len--;
         if ((tag == 0xFF) && (dataleft > 8)) {
-            if (d + 8 > d_end)
+            if (d + 8 > d_end || s_len < 8)
                 return;
             for (i = 0; i < 8; i++) {
                 queue[qpos++] = *d++ = *s++;
                 qpos &= QUEUE_MASK;
             }
+            s_len -= 8;
             dataleft -= 8;
         } else {
             for (i = 0; i < 8; i++) {
                 if (dataleft == 0)
                     break;
                 if (tag & 0x01) {
-                    if (d + 1 > d_end)
+                    if (d + 1 > d_end || s_len < 1)
                         return;
                     queue[qpos++] = *d++ = *s++;
                     qpos &= QUEUE_MASK;
                     dataleft--;
+                    s_len--;
                 } else {
+                    if (s_len < 2)
+                        return;
                     chainofs = *s++;
                     chainofs |= ((*s & 0xF0) << 4);
                     chainlen = (*s++ & 0x0F) + 3;
-                    if (chainlen == speclen)
+                    s_len -= 2;
+                    if (chainlen == speclen) {
+                        if (s_len < 1)
+                            return;
                         chainlen = *s++ + 0xF + 3;
+                        s_len--;
+                    }
                     if (d + chainlen > d_end)
                         return;
                     for (j = 0; j < chainlen; j++) {
@@ -143,7 +157,7 @@ static void lz_unpack(const unsigned char *src, unsigned char *dest, int dest_le
 }
 
 static int rle_unpack(const unsigned char *src, unsigned char *dest,
-    int src_len, int dest_len)
+    int src_count, int src_size, int dest_len)
 {
     const unsigned char *ps;
     unsigned char *pd;
@@ -152,31 +166,40 @@ static int rle_unpack(const unsigned char *src, unsigned char *dest,
 
     ps = src;
     pd = dest;
-    if (src_len & 1)
+    if (src_count & 1) {
+        if (src_size < 1)
+            return 0;
         *pd++ = *ps++;
+        src_size--;
+    }
 
-    src_len >>= 1;
+    src_count >>= 1;
     i = 0;
     do {
+        if (src_size < 1)
+            break;
         l = *ps++;
+        src_size--;
         if (l & 0x80) {
             l = (l & 0x7F) * 2;
-            if (pd + l > dest_end)
+            if (pd + l > dest_end || src_size < l)
                 return ps - src;
             memcpy(pd, ps, l);
             ps += l;
+            src_size -= l;
             pd += l;
         } else {
-            if (pd + i > dest_end)
+            if (pd + i > dest_end || src_size < 2)
                 return ps - src;
             for (i = 0; i < l; i++) {
                 *pd++ = ps[0];
                 *pd++ = ps[1];
             }
             ps += 2;
+            src_size -= 2;
         }
         i += l;
-    } while (i < src_len);
+    } while (i < src_count);
 
     return ps - src;
 }
@@ -191,6 +214,7 @@ static void vmd_decode(VmdVideoContext *s)
     const unsigned char *p = s->buf + 16;
 
     const unsigned char *pb;
+    unsigned int pb_size;
     unsigned char meth;
     unsigned char *dp;   /* pointer to current frame */
     unsigned char *pp;   /* pointer to previous frame */
@@ -205,6 +229,16 @@ static void vmd_decode(VmdVideoContext *s)
     frame_y = AV_RL16(&s->buf[8]);
     frame_width = AV_RL16(&s->buf[10]) - frame_x + 1;
     frame_height = AV_RL16(&s->buf[12]) - frame_y + 1;
+    if (frame_x < 0 || frame_width < 0 ||
+        frame_x >= s->avctx->width ||
+        frame_width > s->avctx->width ||
+        frame_x + frame_width > s->avctx->width)
+        return;
+    if (frame_y < 0 || frame_height < 0 ||
+        frame_y >= s->avctx->height ||
+        frame_height > s->avctx->height ||
+        frame_y + frame_height > s->avctx->height)
+        return;
 
     if ((frame_width == s->avctx->width && frame_height == s->avctx->height) &&
         (frame_x || frame_y)) {
@@ -217,8 +251,9 @@ static void vmd_decode(VmdVideoContext *s)
 
     /* if only a certain region will be updated, copy the entire previous
      * frame before the decode */
-    if (frame_x || frame_y || (frame_width != s->avctx->width) ||
-        (frame_height != s->avctx->height)) {
+    if (s->prev_frame.data[0] &&
+        (frame_x || frame_y || (frame_width != s->avctx->width) ||
+        (frame_height != s->avctx->height))) {
 
         memcpy(s->frame.data[0], s->prev_frame.data[0],
             s->avctx->height * s->frame.linesize[0]);
@@ -236,14 +271,19 @@ static void vmd_decode(VmdVideoContext *s)
         }
         s->size -= (256 * 3 + 2);
     }
-    if (s->size >= 0) {
+    if (s->size > 0) {
         /* originally UnpackFrame in VAG's code */
         pb = p;
-        meth = *pb++;
+        pb_size = s->buf + s->size - pb;
+        if (pb_size < 1)
+            return;
+        meth = *pb++; pb_size--;
         if (meth & 0x80) {
-            lz_unpack(pb, s->unpack_buffer, s->unpack_buffer_size);
+            lz_unpack(pb, pb_size,
+                      s->unpack_buffer, s->unpack_buffer_size);
             meth &= 0x7F;
             pb = s->unpack_buffer;
+            pb_size = s->unpack_buffer_size;
         }
 
         dp = &s->frame.data[0][frame_y * s->frame.linesize[0] + frame_x];
@@ -254,17 +294,21 @@ static void vmd_decode(VmdVideoContext *s)
             for (i = 0; i < frame_height; i++) {
                 ofs = 0;
                 do {
+                    if (pb_size < 1)
+                        return;
                     len = *pb++;
+                    pb_size--;
                     if (len & 0x80) {
                         len = (len & 0x7F) + 1;
-                        if (ofs + len > frame_width)
+                        if (ofs + len > frame_width || pb_size < len)
                             return;
                         memcpy(&dp[ofs], pb, len);
                         pb += len;
+                        pb_size -= len;
                         ofs += len;
                     } else {
                         /* interframe pixel copy */
-                        if (ofs + len + 1 > frame_width)
+                        if (ofs + len + 1 > frame_width || !s->prev_frame.data[0])
                             return;
                         memcpy(&dp[ofs], &pp[ofs], len + 1);
                         ofs += len + 1;
@@ -282,8 +326,11 @@ static void vmd_decode(VmdVideoContext *s)
 
         case 2:
             for (i = 0; i < frame_height; i++) {
+                if (pb_size < frame_width)
+                    return;
                 memcpy(dp, pb, frame_width);
                 pb += frame_width;
+                pb_size -= frame_width;
                 dp += s->frame.linesize[0];
                 pp += s->prev_frame.linesize[0];
             }
@@ -293,18 +340,27 @@ static void vmd_decode(VmdVideoContext *s)
             for (i = 0; i < frame_height; i++) {
                 ofs = 0;
                 do {
+                    if (pb_size < 1)
+                        return;
                     len = *pb++;
+                    pb_size--;
                     if (len & 0x80) {
                         len = (len & 0x7F) + 1;
+                        if (pb_size < 1)
+                            return;
                         if (*pb++ == 0xFF)
-                            len = rle_unpack(pb, &dp[ofs], len, frame_width - ofs);
-                        else
+                            len = rle_unpack(pb, &dp[ofs], len, pb_size, frame_width - ofs);
+                        else {
+                            if (pb_size < len)
+                                return;
                             memcpy(&dp[ofs], pb, len);
+                        }
                         pb += len;
+                        pb_size -= 1 + len;
                         ofs += len;
                     } else {
                         /* interframe pixel copy */
-                        if (ofs + len + 1 > frame_width)
+                        if (ofs + len + 1 > frame_width || !s->prev_frame.data[0])
                             return;
                         memcpy(&dp[ofs], &pp[ofs], len + 1);
                         ofs += len + 1;

From 0f7bf1786e43d05c4ec1667a1457df7b22b05561 Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Sat, 1 Oct 2011 00:45:05 +0200
Subject: [PATCH 44/58] Check for out of bound writes in the QDM2 decoder.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 291d74a46d32183653db07818c7b3407fd50a288)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit a31ccacb1a9b2abc0e140a812fb0ffca6f7c2591)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/qdm2.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
index 6451fbe91f..3273dd1795 100644
--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -75,6 +75,7 @@ do { \
 #define SAMPLES_NEEDED_2(why) \
      av_log (NULL,AV_LOG_INFO,"This file triggers some missing code. Please contact the developers.\nPosition: %s\n",why);
 
+#define QDM2_MAX_FRAME_SIZE 512
 
 typedef int8_t sb_int8_array[2][30][64];
 
@@ -167,7 +168,7 @@ typedef struct {
     /// I/O data
     const uint8_t *compressed_data;
     int compressed_size;
-    float output_buffer[1024];
+    float output_buffer[QDM2_MAX_FRAME_SIZE * 2];
 
     /// Synthesis filter
     DECLARE_ALIGNED(16, MPA_INT, synth_buf)[MPA_MAX_CHANNELS][512*2];
@@ -1799,6 +1800,8 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx)
 
     avctx->channels = s->nb_channels = s->channels = AV_RB32(extradata);
     extradata += 4;
+    if (s->channels > MPA_MAX_CHANNELS)
+        return AVERROR_INVALIDDATA;
 
     avctx->sample_rate = AV_RB32(extradata);
     extradata += 4;
@@ -1820,6 +1823,8 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx)
     // something like max decodable tones
     s->group_order = av_log2(s->group_size) + 1;
     s->frame_size = s->group_size / 16; // 16 iterations per super block
+    if (s->frame_size > QDM2_MAX_FRAME_SIZE)
+        return AVERROR_INVALIDDATA;
 
     s->sub_sampling = s->fft_order - 7;
     s->frequency_range = 255 / (1 << (2 - s->sub_sampling));

From 8856c4c5c924b85888fcaf486e71ba15b8af610b Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Sat, 1 Oct 2011 00:45:04 +0200
Subject: [PATCH 45/58] Fix out of bound reads in the QDM2 decoder.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 5a19acb17ceb71657b0eec51dac651953520e5c8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 0d93d5c4614fafea74bdac681673f5b32eb49063)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/qdm2.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
index 3273dd1795..ec33c492f4 100644
--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -1356,6 +1356,8 @@ static void qdm2_fft_decode_tones (QDM2Context *q, int duration, GetBitContext *
             return;
 
         local_int_14 = (offset >> local_int_8);
+        if (local_int_14 >= FF_ARRAY_ELEMS(fft_level_index_table))
+            return;
 
         if (q->nb_channels > 1) {
             channel = get_bits1(gb);

From 201fcfb89482c6f73d6b679a294aac8da9612bbd Mon Sep 17 00:00:00 2001
From: Dustin Brody <libav@parsoma.net>
Date: Tue, 16 Aug 2011 16:46:34 -0400
Subject: [PATCH 46/58] vp6: partially propagate huffman tree building errors
 during coeff model parsing and fix misspelling

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit f913eeea43078b3b9052efd8d8d29e7b29b39208)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 7367cbec1b8cf0cbb49707fb0fdfded8ec397b0d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/vp6.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c
index 58c31f965b..b9d86e3154 100644
--- a/libavcodec/vp6.c
+++ b/libavcodec/vp6.c
@@ -212,8 +212,8 @@ static int vp6_huff_cmp(const void *va, const void *vb)
     return (a->count - b->count)*16 + (b->sym - a->sym);
 }
 
-static void vp6_build_huff_tree(VP56Context *s, uint8_t coeff_model[],
-                                const uint8_t *map, unsigned size, VLC *vlc)
+static int vp6_build_huff_tree(VP56Context *s, uint8_t coeff_model[],
+                               const uint8_t *map, unsigned size, VLC *vlc)
 {
     Node nodes[2*size], *tmp = &nodes[size];
     int a, b, i;
@@ -228,9 +228,9 @@ static void vp6_build_huff_tree(VP56Context *s, uint8_t coeff_model[],
     }
 
     free_vlc(vlc);
-    /* then build the huffman tree accodring to probabilities */
-    ff_huff_build_tree(s->avctx, vlc, size, nodes, vp6_huff_cmp,
-                       FF_HUFFMAN_FLAG_HNODE_FIRST);
+    /* then build the huffman tree according to probabilities */
+    return ff_huff_build_tree(s->avctx, vlc, size, nodes, vp6_huff_cmp,
+                              FF_HUFFMAN_FLAG_HNODE_FIRST);
 }
 
 static void vp6_parse_coeff_models(VP56Context *s)

From a62779d986292a5a4d5fb4c39031f9665c39b4a4 Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Wed, 21 Sep 2011 20:46:32 +0200
Subject: [PATCH 47/58] vp6: Check for huffman tree build errors

Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 066fff755a5d8edc660c010ddb08474d208eeade)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 30c08e226156e5a36a835c008c67114f22c8da8f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/vp5.c  |  3 ++-
 libavcodec/vp56.c |  4 +++-
 libavcodec/vp56.h |  2 +-
 libavcodec/vp6.c  | 20 ++++++++++++--------
 4 files changed, 18 insertions(+), 11 deletions(-)

diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c
index 1479344ba4..703a1c3389 100644
--- a/libavcodec/vp5.c
+++ b/libavcodec/vp5.c
@@ -116,7 +116,7 @@ static void vp5_parse_vector_models(VP56Context *s)
                 model->vector_pdv[comp][node] = vp56_rac_gets_nn(c, 7);
 }
 
-static void vp5_parse_coeff_models(VP56Context *s)
+static int vp5_parse_coeff_models(VP56Context *s)
 {
     VP56RangeCoder *c = &s->c;
     VP56Model *model = s->modelp;
@@ -160,6 +160,7 @@ static void vp5_parse_coeff_models(VP56Context *s)
                 for (ctx=0; ctx<6; ctx++)
                     for (node=0; node<5; node++)
                         model->coeff_acct[pt][ct][cg][ctx][node] = av_clip(((model->coeff_ract[pt][ct][cg][node] * vp5_ract_lc[ct][cg][node][ctx][0] + 128) >> 8) + vp5_ract_lc[ct][cg][node][ctx][1], 1, 254);
+    return 0;
 }
 
 static void vp5_parse_coeff(VP56Context *s)
diff --git a/libavcodec/vp56.c b/libavcodec/vp56.c
index 74fe5ff5f4..ebfd00634c 100644
--- a/libavcodec/vp56.c
+++ b/libavcodec/vp56.c
@@ -537,7 +537,8 @@ int vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
             s->mb_type = VP56_MB_INTER_NOVEC_PF;
         }
 
-        s->parse_coeff_models(s);
+        if (s->parse_coeff_models(s))
+            goto next;
 
         memset(s->prev_dc, 0, sizeof(s->prev_dc));
         s->prev_dc[1][VP56_FRAME_CURRENT] = 128;
@@ -601,6 +602,7 @@ int vp56_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
             }
         }
 
+    next:
         if (p->key_frame || golden_frame) {
             if (s->framep[VP56_FRAME_GOLDEN]->data[0] &&
                 s->framep[VP56_FRAME_GOLDEN] != s->framep[VP56_FRAME_GOLDEN2])
diff --git a/libavcodec/vp56.h b/libavcodec/vp56.h
index 89eba0563e..ad5849ac17 100644
--- a/libavcodec/vp56.h
+++ b/libavcodec/vp56.h
@@ -41,7 +41,7 @@ typedef void (*VP56Filter)(VP56Context *s, uint8_t *dst, uint8_t *src,
 typedef void (*VP56ParseCoeff)(VP56Context *s);
 typedef void (*VP56DefaultModelsInit)(VP56Context *s);
 typedef void (*VP56ParseVectorModels)(VP56Context *s);
-typedef void (*VP56ParseCoeffModels)(VP56Context *s);
+typedef int  (*VP56ParseCoeffModels)(VP56Context *s);
 typedef int  (*VP56ParseHeader)(VP56Context *s, const uint8_t *buf,
                                 int buf_size, int *golden_frame);
 
diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c
index b9d86e3154..98befe6a8b 100644
--- a/libavcodec/vp6.c
+++ b/libavcodec/vp6.c
@@ -233,7 +233,7 @@ static int vp6_build_huff_tree(VP56Context *s, uint8_t coeff_model[],
                               FF_HUFFMAN_FLAG_HNODE_FIRST);
 }
 
-static void vp6_parse_coeff_models(VP56Context *s)
+static int vp6_parse_coeff_models(VP56Context *s)
 {
     VP56RangeCoder *c = &s->c;
     VP56Model *model = s->modelp;
@@ -278,15 +278,18 @@ static void vp6_parse_coeff_models(VP56Context *s)
 
     if (s->use_huffman) {
         for (pt=0; pt<2; pt++) {
-            vp6_build_huff_tree(s, model->coeff_dccv[pt],
-                                vp6_huff_coeff_map, 12, &s->dccv_vlc[pt]);
-            vp6_build_huff_tree(s, model->coeff_runv[pt],
-                                vp6_huff_run_map, 9, &s->runv_vlc[pt]);
+            if (vp6_build_huff_tree(s, model->coeff_dccv[pt],
+                                    vp6_huff_coeff_map, 12, &s->dccv_vlc[pt]))
+                return -1;
+            if (vp6_build_huff_tree(s, model->coeff_runv[pt],
+                                    vp6_huff_run_map, 9, &s->runv_vlc[pt]))
+                return -1;
             for (ct=0; ct<3; ct++)
                 for (cg = 0; cg < 6; cg++)
-                    vp6_build_huff_tree(s, model->coeff_ract[pt][ct][cg],
-                                        vp6_huff_coeff_map, 12,
-                                        &s->ract_vlc[pt][ct][cg]);
+                    if (vp6_build_huff_tree(s, model->coeff_ract[pt][ct][cg],
+                                            vp6_huff_coeff_map, 12,
+                                            &s->ract_vlc[pt][ct][cg]))
+                        return -1;
         }
         memset(s->nb_null, 0, sizeof(s->nb_null));
     } else {
@@ -296,6 +299,7 @@ static void vp6_parse_coeff_models(VP56Context *s)
             for (node=0; node<5; node++)
                 model->coeff_dcct[pt][ctx][node] = av_clip(((model->coeff_dccv[pt][node] * vp6_dccv_lc[ctx][node][0] + 128) >> 8) + vp6_dccv_lc[ctx][node][1], 1, 255);
     }
+    return 0;
 }
 
 static void vp6_parse_vector_adjustment(VP56Context *s, VP56mv *vect)

From e28bb18fdc894dfdc1befa9f5e748ccb649a8c76 Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Fri, 23 Sep 2011 22:36:11 +0200
Subject: [PATCH 48/58] vp6: Reset the internal state when aborting key frames
 header parsing

It prevents leaving the state only half initialized.

Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit a72cad0a6c05aa74940101e937cb3dc602d7d67b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c76505e0dee0890e39636ddebd2707ab3ea5b8de)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/vp6.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c
index 98befe6a8b..955a6e9fd5 100644
--- a/libavcodec/vp6.c
+++ b/libavcodec/vp6.c
@@ -136,8 +136,11 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size,
     if (coeff_offset) {
         buf      += coeff_offset;
         buf_size -= coeff_offset;
-        if (buf_size < 0)
+        if (buf_size < 0) {
+            if (s->framep[VP56_FRAME_CURRENT]->key_frame)
+                avcodec_set_dimensions(s->avctx, 0, 0);
             return 0;
+        }
         if (s->use_huffman) {
             s->parse_coeff = vp6_parse_coeff_huffman;
             init_get_bits(&s->gb, buf, buf_size<<3);

From 8d68083298e2481669de4db0b7b86c915119df6d Mon Sep 17 00:00:00 2001
From: Alex Converse <alex.converse@gmail.com>
Date: Thu, 3 Nov 2011 15:55:52 -0700
Subject: [PATCH 49/58] vp6: Fix illegal read.

(cherry picked from commit 2a6eb06254df79e96b3d791b6b89b2534ced3119)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 67a7ed623b678a84c992dd7bf3e3d0329f83621b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/vp6.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c
index 955a6e9fd5..87834cd5c4 100644
--- a/libavcodec/vp6.c
+++ b/libavcodec/vp6.c
@@ -373,7 +373,7 @@ static void vp6_parse_coeff_huffman(VP56Context *s)
         if (b > 3) pt = 1;
         vlc_coeff = &s->dccv_vlc[pt];
 
-        for (coeff_idx=0; coeff_idx<64; ) {
+        for (coeff_idx = 0;;) {
             int run = 1;
             if (coeff_idx<2 && s->nb_null[coeff_idx][pt]) {
                 s->nb_null[coeff_idx][pt]--;
@@ -410,6 +410,8 @@ static void vp6_parse_coeff_huffman(VP56Context *s)
                 }
             }
             coeff_idx+=run;
+            if (coeff_idx >= 64)
+                break;
             cg = FFMIN(vp6_coeff_groups[coeff_idx], 3);
             vlc_coeff = &s->ract_vlc[pt][ct][cg];
         }

From 94aacaf5083313378c6105bd71db04ce8f62c058 Mon Sep 17 00:00:00 2001
From: Thierry Foucu <tfoucu@gmail.com>
Date: Thu, 17 Nov 2011 09:39:52 -0800
Subject: [PATCH 50/58] vp6: Fix illegal read.

Found with Address Sanitizer

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit e0966eb140b3569b3d6b5b5008961944ef229c06)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit ba4b08b78918f399f9c9524750b26e904d146078)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/vp6.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c
index 87834cd5c4..1fe24cf28c 100644
--- a/libavcodec/vp6.c
+++ b/libavcodec/vp6.c
@@ -439,7 +439,8 @@ static void vp6_parse_coeff(VP56Context *s)
         model1 = model->coeff_dccv[pt];
         model2 = model->coeff_dcct[pt][ctx];
 
-        for (coeff_idx=0; coeff_idx<64; ) {
+        coeff_idx = 0;
+        for (;;) {
             if ((coeff_idx>1 && ct==0) || vp56_rac_get_prob(c, model2[0])) {
                 /* parse a coeff */
                 if (vp56_rac_get_prob(c, model2[2])) {
@@ -480,8 +481,10 @@ static void vp6_parse_coeff(VP56Context *s)
                             run += vp56_rac_get_prob(c, model3[i+8]) << i;
                 }
             }
-
-            cg = vp6_coeff_groups[coeff_idx+=run];
+            coeff_idx += run;
+            if (coeff_idx >= 64)
+                break;
+            cg = vp6_coeff_groups[coeff_idx];
             model1 = model2 = model->coeff_ract[pt][ct][cg];
         }
 

From 8ddc0b491d3c9c11c1e3d638fda51b4b604d32f4 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Fri, 18 Nov 2011 19:10:21 +0100
Subject: [PATCH 51/58] svq1dec: call avcodec_set_dimensions() after dimensions
 changed.

Fixes NGS00148, CVE-2011-4579

Found-by: Phillip Langlois
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

(cherry picked from commit 6e24b9488e67849a28e64a8056e05f83cf439229)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 0eca0da06e40b73af495cc05fbcfaa030fcf78ea)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/svq1dec.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c
index 2aa28ab0b0..8c6f0c8f62 100644
--- a/libavcodec/svq1dec.c
+++ b/libavcodec/svq1dec.c
@@ -678,6 +678,7 @@ static int svq1_decode_frame(AVCodecContext *avctx,
 #endif
     return result;
   }
+  avcodec_set_dimensions(avctx, s->width, s->height);
 
   //FIXME this avoids some confusion for "B frames" without 2 references
   //this should be removed after libavcodec can handle more flexible picture types & ordering

From bd071de29ae33a0ea99fd52793394a377ca61589 Mon Sep 17 00:00:00 2001
From: Reinhard Tartler <siretart@tauware.de>
Date: Sun, 4 Dec 2011 10:10:33 +0100
Subject: [PATCH 52/58] vp3dec: Check coefficient index in vp3_dequant()

Based on a patch by Michael Niedermayer <michaelni@gmx.at>

Fixes NGS00145, CVE-2011-4352

Found-by: Phillip Langlois
Signed-off-by: Reinhard Tartler <siretart@tauware.de>

(cherry picked from commit 8b94df0f2047e9728cb872adc9e64557b7a5152f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit bba709214a51ffd665a67404d3beb3727bb3f319)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/vp3.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index c08de6ca2c..fe8af86440 100644
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -1285,6 +1285,10 @@ static inline int vp3_dequant(Vp3DecodeContext *s, Vp3Fragment *frag,
         case 1: // zero run
             s->dct_tokens[plane][i]++;
             i += (token >> 2) & 0x7f;
+            if (i > 63) {
+                av_log(s->avctx, AV_LOG_ERROR, "Coefficient index overflow\n");
+                return i;
+            }
             block[perm[i]] = (token >> 9) * dequantizer[perm[i]];
             i++;
             break;
@@ -1458,7 +1462,10 @@ static void render_slice(Vp3DecodeContext *s, int slice)
                     /* invert DCT and place (or add) in final output */
 
                     if (s->all_fragments[i].coding_method == MODE_INTRA) {
-                        vp3_dequant(s, s->all_fragments + i, plane, 0, block);
+                        int index;
+                        index = vp3_dequant(s, s->all_fragments + i, plane, 0, block);
+                        if (index > 63)
+                            continue;
                         if(s->avctx->idct_algo!=FF_IDCT_VP3)
                             block[0] += 128<<3;
                         s->dsp.idct_put(
@@ -1466,7 +1473,10 @@ static void render_slice(Vp3DecodeContext *s, int slice)
                             stride,
                             block);
                     } else {
-                        if (vp3_dequant(s, s->all_fragments + i, plane, 1, block)) {
+                        int index = vp3_dequant(s, s->all_fragments + i, plane, 1, block);
+                        if (index > 63)
+                            continue;
+                        if (index > 0) {
                         s->dsp.idct_add(
                             output_plane + first_pixel,
                             stride,

From ca87ec53e9c7fb5d79847e8d8fc33553d2d52310 Mon Sep 17 00:00:00 2001
From: Reinhard Tartler <siretart@tauware.de>
Date: Thu, 1 Dec 2011 18:48:33 +0100
Subject: [PATCH 53/58] swscale: #include "libavutil/mathematics.h"

this file uses the M_PI macro since
4e74187db2f5db52f88729efc662df9d6bc763e1, so include the correct header
directly.

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

(cherry picked from commit 5089ce1b5abe2ecbbfd7235aeb0ad47ba38305c1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 851098c9e004b2ce294b687cb18633b038dcc3fe)

Conflicts:

	libswscale/utils.c
---
 libswscale/utils.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libswscale/utils.c b/libswscale/utils.c
index d7a6ea25b0..2629b3590b 100644
--- a/libswscale/utils.c
+++ b/libswscale/utils.c
@@ -42,6 +42,7 @@
 #include "libavutil/x86_cpu.h"
 #include "libavutil/avutil.h"
 #include "libavutil/bswap.h"
+#include "libavutil/mathematics.h"
 #include "libavutil/pixdesc.h"
 
 unsigned swscale_version(void)

From 92b964969b228799fded70827d8b78044aff5019 Mon Sep 17 00:00:00 2001
From: Justin Ruggles <justin.ruggles@gmail.com>
Date: Tue, 22 Nov 2011 13:37:52 -0500
Subject: [PATCH 54/58] wma: initialize prev_block_len_bits,
 next_block_len_bits, and block_len_bits.

The initial values are not checked against the number of block sizes.
Initializing them to frame_len_bits will result in a block size index of 0
in these cases instead of something that might be out-of-range.

Fixes Bug 81.
(cherry picked from commit 05d1e45d1f42cc90d1f2f36c546d0096cea126a8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 8dba5608dcf76032d8a9aa4bd8a3fc1392682281)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/wma.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/wma.c b/libavcodec/wma.c
index 65780459aa..45d431a2b1 100644
--- a/libavcodec/wma.c
+++ b/libavcodec/wma.c
@@ -135,6 +135,9 @@ int ff_wma_init(AVCodecContext *avctx, int flags2)
 
     /* compute MDCT block size */
     s->frame_len_bits = ff_wma_get_frame_len_bits(s->sample_rate, s->version, 0);
+    s->next_block_len_bits = s->frame_len_bits;
+    s->prev_block_len_bits = s->frame_len_bits;
+    s->block_len_bits      = s->frame_len_bits;
 
     s->frame_len = 1 << s->frame_len_bits;
     if (s->use_variable_block_len) {

From ccd2ca02463df0d9e5246758676b0ca52fcc2fb8 Mon Sep 17 00:00:00 2001
From: Shitiz Garg <mail@dragooon.net>
Date: Wed, 14 Dec 2011 18:29:21 +0530
Subject: [PATCH 55/58] 4xm: Add a check in decode_i_frame to prevent buffer
 overreads

Fixes bugzilla #135

Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 355d917c0bd8163a3f1c7d4a6866dac749efdb84)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit d912a30c7d5cf9b8fdb26402804c9b0f999b4ff1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/4xm.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/libavcodec/4xm.c b/libavcodec/4xm.c
index 219850302c..f6e50e9d5c 100644
--- a/libavcodec/4xm.c
+++ b/libavcodec/4xm.c
@@ -641,9 +641,18 @@ static int decode_i_frame(FourXContext *f, const uint8_t *buf, int length){
     uint16_t *dst= (uint16_t*)f->current_picture.data[0];
     const int stride= f->current_picture.linesize[0]>>1;
     const unsigned int bitstream_size= AV_RL32(buf);
-    const int token_count av_unused = AV_RL32(buf + bitstream_size + 8);
-    unsigned int prestream_size= 4*AV_RL32(buf + bitstream_size + 4);
-    const uint8_t *prestream= buf + bitstream_size + 12;
+    int token_count av_unused;
+    unsigned int prestream_size;
+    const uint8_t *prestream;
+
+    if (length < bitstream_size + 12) {
+        av_log(f->avctx, AV_LOG_ERROR, "packet size too small\n");
+        return AVERROR_INVALIDDATA;
+    }
+
+    token_count    = AV_RL32(buf + bitstream_size + 8);
+    prestream_size = 4 * AV_RL32(buf + bitstream_size + 4);
+    prestream      = buf + bitstream_size + 12;
 
     if(prestream_size + bitstream_size + 12 != length
        || bitstream_size > (1<<26)

From b26c1a8b7ed1a199b19f92bb5d62c61f1c149215 Mon Sep 17 00:00:00 2001
From: Baptiste Coudurier <baptiste.coudurier@gmail.com>
Date: Fri, 19 Nov 2010 06:52:30 +0000
Subject: [PATCH 56/58] Fix qdm2 decoder packet handling to match the api

Originally committed as revision 25767 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavcodec/qdm2.c | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
index ec33c492f4..93f72ceda5 100644
--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -1890,7 +1890,7 @@ static av_cold int qdm2_decode_close(AVCodecContext *avctx)
 }
 
 
-static void qdm2_decode (QDM2Context *q, const uint8_t *in, int16_t *out)
+static int qdm2_decode (QDM2Context *q, const uint8_t *in, int16_t *out)
 {
     int ch, i;
     const int frame_size = (q->frame_size * q->channels);
@@ -1926,7 +1926,7 @@ static void qdm2_decode (QDM2Context *q, const uint8_t *in, int16_t *out)
 
         if (!q->has_errors && q->sub_packet_list_C[0].packet != NULL) {
             SAMPLES_NEEDED_2("has errors, and C list is not empty")
-            return;
+            return -1;
         }
     }
 
@@ -1947,6 +1947,8 @@ static void qdm2_decode (QDM2Context *q, const uint8_t *in, int16_t *out)
 
         out[i] = value;
     }
+
+    return 0;
 }
 
 
@@ -1957,25 +1959,26 @@ static int qdm2_decode_frame(AVCodecContext *avctx,
     const uint8_t *buf = avpkt->data;
     int buf_size = avpkt->size;
     QDM2Context *s = avctx->priv_data;
+    int16_t *out = data;
+    int i;
 
     if(!buf)
         return 0;
     if(buf_size < s->checksum_size)
         return -1;
 
-    *data_size = s->channels * s->frame_size * sizeof(int16_t);
-
     av_log(avctx, AV_LOG_DEBUG, "decode(%d): %p[%d] -> %p[%d]\n",
        buf_size, buf, s->checksum_size, data, *data_size);
 
-    qdm2_decode(s, buf, data);
-
-    // reading only when next superblock found
-    if (s->sub_packet == 0) {
-        return s->checksum_size;
+    for (i = 0; i < 16; i++) {
+        if (qdm2_decode(s, buf, out) < 0)
+            return -1;
+        out += s->channels * s->frame_size;
     }
 
-    return 0;
+    *data_size = (uint8_t*)out - (uint8_t*)data;
+
+    return buf_size;
 }
 
 AVCodec qdm2_decoder =

From cfb9b47a1ecdc9e88e6561aa213d98245ee70267 Mon Sep 17 00:00:00 2001
From: Justin Ruggles <justin.ruggles@gmail.com>
Date: Wed, 14 Sep 2011 13:57:04 -0400
Subject: [PATCH 57/58] qdm2: check output buffer size before decoding

(cherry picked from commit 7d49f79f1cd47783a963a757a6563b9cac29db62)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 73472053516f82b7d273a3d42c583f894077a191)

Conflicts:

	libavcodec/qdm2.c
---
 libavcodec/qdm2.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
index 93f72ceda5..839e3fe1bf 100644
--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -1960,13 +1960,20 @@ static int qdm2_decode_frame(AVCodecContext *avctx,
     int buf_size = avpkt->size;
     QDM2Context *s = avctx->priv_data;
     int16_t *out = data;
-    int i;
+    int i, out_size;
 
     if(!buf)
         return 0;
     if(buf_size < s->checksum_size)
         return -1;
 
+    out_size = 16 * s->channels * s->frame_size *
+               av_get_bits_per_sample_format(avctx->sample_fmt)/8;
+    if (*data_size < out_size) {
+        av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+        return AVERROR(EINVAL);
+    }
+
     av_log(avctx, AV_LOG_DEBUG, "decode(%d): %p[%d] -> %p[%d]\n",
        buf_size, buf, s->checksum_size, data, *data_size);
 
@@ -1976,7 +1983,7 @@ static int qdm2_decode_frame(AVCodecContext *avctx,
         out += s->channels * s->frame_size;
     }
 
-    *data_size = (uint8_t*)out - (uint8_t*)data;
+    *data_size = out_size;
 
     return buf_size;
 }

From dbe7e209df03c18eabdc29f87b73bbc4e3430d20 Mon Sep 17 00:00:00 2001
From: Reinhard Tartler <siretart@tauware.de>
Date: Sat, 24 Dec 2011 15:59:10 +0100
Subject: [PATCH 58/58] Bump version number for 0.6.4 release.

---
 VERSION | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/VERSION b/VERSION
index 844f6a91ac..d2b13eb644 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-0.6.3
+0.6.4