From 39a7a5b8ab12bc75306f52e671dfb1497771553b Mon Sep 17 00:00:00 2001
From: Aaron Colwell <acolwell@chromium.org>
Date: Mon, 28 Nov 2011 07:23:03 -0800
Subject: [PATCH 1/3] pthread: don't increment index on zero-sized packets.

The next call to decode() will update from an invalid index, which will
either lead to a memcpy() where dest==src (2 threads), or lead to a
crash (>2 threads).

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
---
 libavcodec/pthread.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/libavcodec/pthread.c b/libavcodec/pthread.c
index 21e32b59ea..1364f5722d 100644
--- a/libavcodec/pthread.c
+++ b/libavcodec/pthread.c
@@ -491,6 +491,7 @@ static int submit_packet(PerThreadContext *p, AVPacket *avpkt)
     }
 
     fctx->prev_thread = p;
+    fctx->next_decoding++;
 
     return 0;
 }
@@ -513,8 +514,6 @@ int ff_thread_decode_frame(AVCodecContext *avctx,
     err = submit_packet(p, avpkt);
     if (err) return err;
 
-    fctx->next_decoding++;
-
     /*
      * If we're still receiving the initial packets, don't return a frame.
      */

From fdab793a464c475ddb77e6cf7ae47a895bcf35fd Mon Sep 17 00:00:00 2001
From: Alex Converse <alex.converse@gmail.com>
Date: Mon, 28 Nov 2011 15:19:39 -0800
Subject: [PATCH 2/3] avconv: Handle audio sync for non-S16 sample formats.

Also fix reporting of the number of samples added/dropped.
---
 avconv.c | 31 ++++++++++++++++---------------
 1 file changed, 16 insertions(+), 15 deletions(-)

diff --git a/avconv.c b/avconv.c
index 6f64bc80a4..4c5498ad93 100644
--- a/avconv.c
+++ b/avconv.c
@@ -729,6 +729,14 @@ static void write_frame(AVFormatContext *s, AVPacket *pkt, AVCodecContext *avctx
     }
 }
 
+static void generate_silence(uint8_t* buf, enum AVSampleFormat sample_fmt, size_t size)
+{
+    int fill_char = 0x00;
+    if (sample_fmt == AV_SAMPLE_FMT_U8)
+        fill_char = 0x80;
+    memset(buf, fill_char, size);
+}
+
 static void do_audio_out(AVFormatContext *s,
                          OutputStream *ost,
                          InputStream *ist,
@@ -829,9 +837,9 @@ need_realloc:
 
     if(audio_sync_method){
         double delta = get_sync_ipts(ost) * enc->sample_rate - ost->sync_opts
-                - av_fifo_size(ost->fifo)/(enc->channels * 2);
-        double idelta= delta*dec->sample_rate / enc->sample_rate;
-        int byte_delta= ((int)idelta)*2*dec->channels;
+                - av_fifo_size(ost->fifo)/(enc->channels * osize);
+        int idelta = delta * dec->sample_rate / enc->sample_rate;
+        int byte_delta = idelta * isize * dec->channels;
 
         //FIXME resample delay
         if(fabs(delta) > 50){
@@ -840,7 +848,8 @@ need_realloc:
                     byte_delta= FFMAX(byte_delta, -size);
                     size += byte_delta;
                     buf  -= byte_delta;
-                    av_log(NULL, AV_LOG_VERBOSE, "discarding %d audio samples\n", (int)-delta);
+                    av_log(NULL, AV_LOG_VERBOSE, "discarding %d audio samples\n",
+                           -byte_delta / (isize * dec->channels));
                     if(!size)
                         return;
                     ist->is_start=0;
@@ -854,11 +863,11 @@ need_realloc:
                     }
                     ist->is_start=0;
 
-                    memset(input_tmp, 0, byte_delta);
+                    generate_silence(input_tmp, dec->sample_fmt, byte_delta);
                     memcpy(input_tmp + byte_delta, buf, size);
                     buf= input_tmp;
                     size += byte_delta;
-                    av_log(NULL, AV_LOG_VERBOSE, "adding %d audio samples of silence\n", (int)delta);
+                    av_log(NULL, AV_LOG_VERBOSE, "adding %d audio samples of silence\n", idelta);
                 }
             }else if(audio_sync_method>1){
                 int comp= av_clip(delta, -audio_sync_method, audio_sync_method);
@@ -871,7 +880,7 @@ need_realloc:
         }
     }else
         ost->sync_opts= lrintf(get_sync_ipts(ost) * enc->sample_rate)
-                        - av_fifo_size(ost->fifo)/(enc->channels * 2); //FIXME wrong
+                        - av_fifo_size(ost->fifo)/(enc->channels * osize); //FIXME wrong
 
     if (ost->audio_resample) {
         buftmp = audio_buf;
@@ -1436,14 +1445,6 @@ static void print_report(OutputFile *output_files,
     }
 }
 
-static void generate_silence(uint8_t* buf, enum AVSampleFormat sample_fmt, size_t size)
-{
-    int fill_char = 0x00;
-    if (sample_fmt == AV_SAMPLE_FMT_U8)
-        fill_char = 0x80;
-    memset(buf, fill_char, size);
-}
-
 static void flush_encoders(OutputStream *ost_table, int nb_ostreams)
 {
     int i, ret;

From 464ccb01447b91717cf580b870e636514701ce4f Mon Sep 17 00:00:00 2001
From: Aneesh Dogra <lionaneesh@gmail.com>
Date: Tue, 29 Nov 2011 23:13:35 +0530
Subject: [PATCH 3/3] indeo3: check per-plane data buffer against input buffer
 bounds.

Fixes : http://bugzilla.libav.org/show_bug.cgi?id=102

Signed-off-by: Alex Converse <alex.converse@gmail.com>
---
 libavcodec/indeo3.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c
index 4f3cb36606..46efbd86d2 100644
--- a/libavcodec/indeo3.c
+++ b/libavcodec/indeo3.c
@@ -804,8 +804,10 @@ static int decode_plane(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
     num_vectors = bytestream_get_le32(&data);
     ctx->mc_vectors  = num_vectors ? data : 0;
 
+    if (num_vectors * 2 >= data_size)
+        return AVERROR_INVALIDDATA;
     /* init the bitreader */
-    init_get_bits(&ctx->gb, &data[num_vectors * 2], data_size << 3);
+    init_get_bits(&ctx->gb, &data[num_vectors * 2], (data_size - num_vectors * 2) << 3);
     ctx->skip_bits   = 0;
     ctx->need_resync = 0;