Merge commit '108ca6fad1e0e9af8d6337f908bfd23807b7fbd6' into release/1.1

* commit '108ca6fad1e0e9af8d6337f908bfd23807b7fbd6':
  yop: check for input overreads.
  yop: check that extradata is large enough.
  fraps: fix off-by one bug for version 1.

Conflicts:
	libavcodec/fraps.c
	libavcodec/yop.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>

cmdutils.c

@@ -1851,7 +1851,7 @@ static int alloc_buffer(FrameBuffer **pool, AVCodecContext *s, FrameBuffer **pbu
     /* XXX this shouldn't be needed, but some tests break without this line
      * those decoders are buggy and need to be fixed.
      * the following tests fail:
-     * cdgraphics, ansi, aasc, fraps-v1, qtrle-1bit
+     * cdgraphics, ansi, aasc, qtrle-1bit
      */
     memset(buf->base[0], 128, ret);
 

libavcodec/fraps.c

@@ -246,7 +246,7 @@ static int decode_frame(AVCodecContext *avctx,
     case 1:
         /* Fraps v1 is an upside-down BGR24 */
             for(y=0; y<avctx->height; y++)
-            memcpy(&f->data[0][ (avctx->height-y)*f->linesize[0] ],
+                memcpy(&f->data[0][ (avctx->height - y -1) * f->linesize[0]],
                        &buf[y*avctx->width*3],
                        3*avctx->width);
         break;

libavcodec/yop.c

@@ -39,6 +39,7 @@ typedef struct YopDecContext {
 
     uint8_t *low_nibble;
     uint8_t *srcptr;
+    uint8_t *src_end;
     uint8_t *dstptr;
     uint8_t *dstbuf;
 } YopDecContext;
@@ -88,8 +89,8 @@ static av_cold int yop_decode_init(AVCodecContext *avctx)
         return -1;
     }
 
-    if (!avctx->extradata) {
+    if (avctx->extradata_size < 3) {
-        av_log(avctx, AV_LOG_ERROR, "extradata missing\n");
+        av_log(avctx, AV_LOG_ERROR, "Missing or incomplete extradata.\n");
         return AVERROR_INVALIDDATA;
     }
 
@@ -123,8 +124,13 @@ static av_cold int yop_decode_close(AVCodecContext *avctx)
  * @param s codec context
  * @param tag the tag that was in the nibble
  */
-static void yop_paint_block(YopDecContext *s, int tag)
+static int yop_paint_block(YopDecContext *s, int tag)
 {
+    if (s->src_end - s->srcptr < paint_lut[tag][3]) {
+        av_log(s->avctx, AV_LOG_ERROR, "Packet too small.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     s->dstptr[0]                        = s->srcptr[0];
     s->dstptr[1]                        = s->srcptr[paint_lut[tag][0]];
     s->dstptr[s->frame.linesize[0]]     = s->srcptr[paint_lut[tag][1]];
@@ -132,6 +138,7 @@ static void yop_paint_block(YopDecContext *s, int tag)
 
     // The number of src bytes consumed is in the last part of the lut entry.
     s->srcptr += paint_lut[tag][3];
+    return 0;
 }
 
 /**
@@ -184,6 +191,11 @@ static int yop_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
     int ret, i, x, y;
     uint32_t *palette;
 
+    if (avpkt->size < 4 + 3 * s->num_pal_colors) {
+        av_log(avctx, AV_LOG_ERROR, "Packet too small.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     if (s->frame.data[0])
         avctx->release_buffer(avctx, &s->frame);
 
@@ -201,6 +213,7 @@ static int yop_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
     s->dstbuf     = s->frame.data[0];
     s->dstptr     = s->frame.data[0];
     s->srcptr     = avpkt->data + 4;
+    s->src_end    = avpkt->data + avpkt->size;
     s->low_nibble = NULL;
 
     is_odd_frame = avpkt->data[0];
@@ -231,7 +244,9 @@ static int yop_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
             tag = yop_get_next_nibble(s);
 
             if (tag != 0xf) {
-                yop_paint_block(s, tag);
+                ret = yop_paint_block(s, tag);
+                if (ret < 0)
+                    return ret;
             } else {
                 tag = yop_get_next_nibble(s);
                 ret = yop_copy_previous_block(s, tag);

tests/ref/fate/fraps-v1

@@ -1,2 +1,2 @@
 #tb 0: 1/25
-0,          0,          0,        1,   230400, 0x6bc891ff
+0,          0,          0,        1,   230400, 0x23c29d17