Merge remote-tracking branch 'qatar/release/0.8' into release/0.10

* qatar/release/0.8:
  Update Changelog for the 0.8.2 Release
  Prepare for 0.8.2 Release
  vqavideo: return error if image size is not a multiple of block size
  celp filters: Do not read earlier than the start of the 'out' vector.
  motionpixels: Clip YUV values after applying a gradient.
  jpeg: handle progressive in second field of interlaced.
  h263: more strictly forbid frame size changes with frame-mt.
  h264: additional protection against unsupported size/bitdepth changes.
  tta: prevents overflows for 32bit integers in header.
  ttadec: CRC checking
  tta: use skip_bits_long()

Conflicts:
	Changelog
	RELEASE
	libavcodec/h264.c
	libavcodec/tta.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>

Changelog

@@ -3,6 +3,21 @@ releases are sorted from youngest to oldest.
 
 version next:
 
+
+version 0.10.2:
+
+- Several bugs and crashes have been fixed in the following codecs: AAC,
+  APE, H.263, H.264, Indeo 4, Mimic, MJPEG, Motion Pixels Video, RAW,
+  TTA, VC1, VQA, WMA Voice, vqavideo (CVE-2012-0947).
+
+- Several bugs and crashes have been fixed in the following formats:
+  ASF, ID3v2, MOV, xWMA
+
+- This release additionally updates the following codecs to the
+  bytestream2 API, and therefore benefit from additional overflow
+  checks: truemotion2, utvideo, vqavideo
+
+
 version 0.10.1
 - Several security fixes, many bugfixes affecting many formats and
   codecs, the list below is not complete.

libavcodec/celp_filters.c

@@ -133,9 +133,8 @@ void ff_celp_lp_synthesis_filterf(float *out, const float *filter_coeffs,
         out2 -= val * old_out2;
         out3 -= val * old_out3;
 
-        old_out3 = out[-5];
-
         for (i = 5; i <= filter_length; i += 2) {
+            old_out3 = out[-i];
             val = filter_coeffs[i-1];
 
             out0 -= val * old_out3;
@@ -154,7 +153,6 @@ void ff_celp_lp_synthesis_filterf(float *out, const float *filter_coeffs,
 
             FFSWAP(float, old_out0, old_out2);
             old_out1 = old_out3;
-            old_out3 = out[-i-2];
         }
 
         tmp0 = out0;

libavcodec/h263dec.c

@@ -444,6 +444,13 @@ retry:
     if (ret < 0){
         av_log(s->avctx, AV_LOG_ERROR, "header damaged\n");
         return -1;
+    } else if ((s->width  != avctx->coded_width  ||
+                s->height != avctx->coded_height ||
+                (s->width  + 15) >> 4 != s->mb_width ||
+                (s->height + 15) >> 4 != s->mb_height) &&
+               (HAVE_THREADS && (s->avctx->active_thread_type & FF_THREAD_FRAME))) {
+        av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0);
+        return AVERROR_PATCHWELCOME;   // width / height changed during parallelized decoding
     }
 
     avctx->has_b_frames= !s->low_delay;
@@ -584,11 +591,6 @@ retry:
         /* H.263 could change picture size any time */
         ParseContext pc= s->parse_context; //FIXME move these demuxng hack to avformat
 
-        if (HAVE_THREADS && (s->avctx->active_thread_type&FF_THREAD_FRAME)) {
-            av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0);
-            return -1;   // width / height changed during parallelized decoding
-        }
-
         s->parse_context.buffer=0;
         MPV_common_end(s);
         s->parse_context= pc;

libavcodec/h264.c

@@ -2706,9 +2706,9 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
             || s->avctx->bits_per_raw_sample != h->sps.bit_depth_luma
             || h->cur_chroma_format_idc != h->sps.chroma_format_idc
             || av_cmp_q(h->sps.sar, s->avctx->sample_aspect_ratio))) {
-        if(h != h0 || (s->avctx->active_thread_type & FF_THREAD_FRAME)) {
+        if(h != h0 || (HAVE_THREADS && h->s.avctx->active_thread_type & FF_THREAD_FRAME)) {
             av_log_missing_feature(s->avctx, "Width/height/bit depth/chroma idc changing with threads is", 0);
-            return -1;   // width / height changed during parallelized decoding
+            return AVERROR_PATCHWELCOME;   // width / height changed during parallelized decoding
         }
         free_tables(h, 0);
         flush_dpb(s->avctx);

libavcodec/h264_ps.c

@@ -515,6 +515,9 @@ int ff_h264_decode_picture_parameter_set(H264Context *h, int bit_length){
     if(pps_id >= MAX_PPS_COUNT) {
         av_log(h->s.avctx, AV_LOG_ERROR, "pps_id (%d) out of range\n", pps_id);
         return -1;
+    } else if (h->sps.bit_depth_luma > 10) {
+        av_log(h->s.avctx, AV_LOG_ERROR, "Unimplemented luma bit depth=%d (max=10)\n", h->sps.bit_depth_luma);
+        return AVERROR_PATCHWELCOME;
     }
 
     pps= av_mallocz(sizeof(PPS));

libavcodec/mjpegdec.c

@@ -316,9 +316,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
         s->first_picture = 0;
     }
 
-    if (s->interlaced && (s->bottom_field == !s->interlace_polarity))
-        return 0;
-
+    if (!(s->interlaced && (s->bottom_field == !s->interlace_polarity))) {
     /* XXX: not complete test ! */
     pix_fmt_id = (s->h_count[0] << 28) | (s->v_count[0] << 24) |
                  (s->h_count[1] << 20) | (s->v_count[1] << 16) |
@@ -431,6 +429,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
 
     if (len != (8 + (3 * nb_components)))
         av_log(s->avctx, AV_LOG_DEBUG, "decode_sof0: error, len(%d) mismatch\n", len);
+    }
 
     /* totally blank picture as progressive JPEG will only add details to it */
     if (s->progressive) {

libavcodec/motionpixels.c

@@ -191,10 +191,13 @@ static void mp_decode_line(MotionPixelsContext *mp, GetBitContext *gb, int y)
             p = mp_get_yuv_from_rgb(mp, x - 1, y);
         } else {
             p.y += mp_gradient(mp, 0, mp_get_vlc(mp, gb));
+            p.y = av_clip(p.y, 0, 31);
             if ((x & 3) == 0) {
                 if ((y & 3) == 0) {
                     p.v += mp_gradient(mp, 1, mp_get_vlc(mp, gb));
+                    p.v = av_clip(p.v, -32, 31);
                     p.u += mp_gradient(mp, 2, mp_get_vlc(mp, gb));
+                    p.u = av_clip(p.u, -32, 31);
                     mp->hpt[((y / 4) * mp->avctx->width + x) / 4] = p;
                 } else {
                     p.v = mp->hpt[((y / 4) * mp->avctx->width + x) / 4].v;
@@ -218,9 +221,12 @@ static void mp_decode_frame_helper(MotionPixelsContext *mp, GetBitContext *gb)
             p = mp_get_yuv_from_rgb(mp, 0, y);
         } else {
             p.y += mp_gradient(mp, 0, mp_get_vlc(mp, gb));
+            p.y = av_clip(p.y, 0, 31);
             if ((y & 3) == 0) {
                 p.v += mp_gradient(mp, 1, mp_get_vlc(mp, gb));
+                p.v = av_clip(p.v, -32, 31);
                 p.u += mp_gradient(mp, 2, mp_get_vlc(mp, gb));
+                p.u = av_clip(p.u, -32, 31);
             }
             mp->vpt[y] = p;
             mp_set_rgb_from_yuv(mp, 0, y, &p);

libavcodec/tta.c

@@ -32,6 +32,7 @@
 #include <limits.h>
 #include "avcodec.h"
 #include "get_bits.h"
+#include "libavutil/crc.h"
 
 #define FORMAT_SIMPLE    1
 #define FORMAT_ENCRYPTED 2
@@ -58,8 +59,10 @@ typedef struct TTAContext {
     AVCodecContext *avctx;
     AVFrame frame;
     GetBitContext gb;
+    const AVCRC *crc_table;
 
-    int format, channels, bps, data_length;
+    int format, channels, bps;
+    unsigned data_length;
     int frame_length, last_frame_length, total_frames;
 
     int32_t *decode_buffer;
@@ -198,10 +201,23 @@ static const int64_t tta_channel_layouts[7] = {
     AV_CH_LAYOUT_7POINT1_WIDE
 };
 
+static int tta_check_crc(TTAContext *s, const uint8_t *buf, int buf_size)
+{
+    uint32_t crc, CRC;
+
+    CRC = AV_RL32(buf + buf_size);
+    crc = av_crc(s->crc_table, 0xFFFFFFFFU, buf, buf_size);
+    if (CRC != (crc ^ 0xFFFFFFFFU)) {
+        av_log(s->avctx, AV_LOG_ERROR, "CRC error\n");
+        return AVERROR_INVALIDDATA;
+    }
+
+    return 0;
+}
+
 static av_cold int tta_decode_init(AVCodecContext * avctx)
 {
     TTAContext *s = avctx->priv_data;
-    int i;
 
     s->avctx = avctx;
 
@@ -212,8 +228,14 @@ static av_cold int tta_decode_init(AVCodecContext * avctx)
     init_get_bits(&s->gb, avctx->extradata, avctx->extradata_size * 8);
     if (show_bits_long(&s->gb, 32) == AV_RL32("TTA1"))
     {
+        if (avctx->err_recognition & AV_EF_CRCCHECK) {
+            s->crc_table = av_crc_get_table(AV_CRC_32_IEEE_LE);
+            if (tta_check_crc(s, avctx->extradata, 18))
+                return AVERROR_INVALIDDATA;
+        }
+
         /* signature */
-        skip_bits(&s->gb, 32);
+        skip_bits_long(&s->gb, 32);
 
         s->format = get_bits(&s->gb, 16);
         if (s->format > 2) {
@@ -231,7 +253,7 @@ static av_cold int tta_decode_init(AVCodecContext * avctx)
         s->bps = (avctx->bits_per_coded_sample + 7) / 8;
         avctx->sample_rate = get_bits_long(&s->gb, 32);
         s->data_length = get_bits_long(&s->gb, 32);
-        skip_bits(&s->gb, 32); // CRC32 of header
+        skip_bits_long(&s->gb, 32); // CRC32 of header
 
         if (s->channels == 0) {
             av_log(s->avctx, AV_LOG_ERROR, "Invalid number of channels\n");
@@ -258,7 +280,7 @@ static av_cold int tta_decode_init(AVCodecContext * avctx)
         }
 
         // prevent overflow
-        if (avctx->sample_rate > 0x7FFFFF) {
+        if (avctx->sample_rate > 0x7FFFFFu) {
             av_log(avctx, AV_LOG_ERROR, "sample_rate too large\n");
             return AVERROR(EINVAL);
         }
@@ -275,9 +297,15 @@ static av_cold int tta_decode_init(AVCodecContext * avctx)
             s->data_length, s->frame_length, s->last_frame_length, s->total_frames);
 
         // FIXME: seek table
-        for (i = 0; i < s->total_frames; i++)
-            skip_bits(&s->gb, 32);
-        skip_bits(&s->gb, 32); // CRC32 of seektable
+        if (avctx->extradata_size <= 26 || s->total_frames > INT_MAX / 4 ||
+            avctx->extradata_size - 26 < s->total_frames * 4)
+            av_log(avctx, AV_LOG_WARNING, "Seek table missing or too small\n");
+        else if (avctx->err_recognition & AV_EF_CRCCHECK) {
+            if (tta_check_crc(s, avctx->extradata + 22, s->total_frames * 4))
+                return AVERROR_INVALIDDATA;
+        }
+        skip_bits_long(&s->gb, 32 * s->total_frames);
+        skip_bits_long(&s->gb, 32); // CRC32 of seektable
 
         if(s->frame_length >= UINT_MAX / (s->channels * sizeof(int32_t))){
             av_log(avctx, AV_LOG_ERROR, "frame_length too large\n");
@@ -313,6 +341,11 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data,
     int cur_chan = 0, framelen = s->frame_length;
     int32_t *p;
 
+    if (avctx->err_recognition & AV_EF_CRCCHECK) {
+        if (buf_size < 4 || tta_check_crc(s, buf, buf_size - 4))
+            return AVERROR_INVALIDDATA;
+    }
+
     init_get_bits(&s->gb, buf, buf_size*8);
 
     // FIXME: seeking
@@ -416,7 +449,7 @@ static int tta_decode_frame(AVCodecContext *avctx, void *data,
 
     if (get_bits_left(&s->gb) < 32)
         return -1;
-    skip_bits(&s->gb, 32); // frame crc
+    skip_bits_long(&s->gb, 32); // frame crc
 
         // convert to output buffer
         switch(s->bps) {

libavcodec/vqavideo.c

@@ -155,16 +155,16 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx)
         return -1;
     }
 
+    if (s->width % s->vector_width || s->height % s->vector_height) {
+        av_log(avctx, AV_LOG_ERROR, "Image size not multiple of block size\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     /* allocate codebooks */
     s->codebook_size = MAX_CODEBOOK_SIZE;
     s->codebook = av_malloc(s->codebook_size);
     s->next_codebook_buffer = av_malloc(s->codebook_size);
 
-    if (s->width % s->vector_width || s->height % s->vector_height) {
-        av_log(avctx, AV_LOG_ERROR, "Picture dimensions are not a multiple of the vector size\n");
-        return AVERROR_INVALIDDATA;
-    }
-
     /* initialize the solid-color vectors */
     if (s->vector_height == 4) {
         codebook_index = 0xFF00 * 16;