From 1e9d234c0c62cdce17016a68c948e4f4a8aceea3 Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Sat, 24 Aug 2013 21:30:46 +0200
Subject: [PATCH 1/6] pictordec: pass correct context to avpriv_request_sample

Fixes invalid reads.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry-picked from commit fe9bb61f9a16be19ad91875632c39e44b7a99a8a)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
---
 libavcodec/pictordec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c
index f88fc52f1b..53fef1c6f6 100644
--- a/libavcodec/pictordec.c
+++ b/libavcodec/pictordec.c
@@ -122,7 +122,7 @@ static int decode_frame(AVCodecContext *avctx,
     s->nb_planes   = (tmp >> 4) + 1;
     bpp            = bits_per_plane * s->nb_planes;
     if (bits_per_plane > 8 || bpp < 1 || bpp > 32) {
-        av_log_ask_for_sample(s, "unsupported bit depth\n");
+        av_log_ask_for_sample(avctx, "unsupported bit depth\n");
         return AVERROR_PATCHWELCOME;
     }
 
@@ -234,7 +234,7 @@ static int decode_frame(AVCodecContext *avctx,
             }
         }
     } else {
-        av_log_ask_for_sample(s, "uncompressed image\n");
+        av_log_ask_for_sample(avctx, "uncompressed image\n");
         return avpkt->size;
     }
 finish:

From 4cb3efc206a69e0affceb7715c1d83c3a568b2ed Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Sat, 24 Aug 2013 21:30:46 +0200
Subject: [PATCH 2/6] lavf: avoid integer overflow when estimating bitrate

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit df33a58e5311ee9a64a573889b883a80e981af7b)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
---
 libavformat/utils.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/libavformat/utils.c b/libavformat/utils.c
index e1511ee215..27d9d06667 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -1863,8 +1863,13 @@ static void estimate_timings_from_bit_rate(AVFormatContext *ic)
         bit_rate = 0;
         for(i=0;i<ic->nb_streams;i++) {
             st = ic->streams[i];
-            if (st->codec->bit_rate > 0)
-            bit_rate += st->codec->bit_rate;
+            if (st->codec->bit_rate > 0) {
+                if (INT_MAX - st->codec->bit_rate > bit_rate) {
+                    bit_rate = 0;
+                    break;
+                }
+                bit_rate += st->codec->bit_rate;
+            }
         }
         ic->bit_rate = bit_rate;
     }

From f3c7e604fabd1505c7de3eaddee5a24b8aacf4c3 Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Sat, 24 Aug 2013 21:30:46 +0200
Subject: [PATCH 3/6] 4xm: check that bits per sample is strictly positive

Avoids a divide by zero.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit a7c1689dedd11689edb30088d467ac03f9b8d1cf)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
---
 libavformat/4xm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/4xm.c b/libavformat/4xm.c
index c0b3914fa1..5fb1921dd9 100644
--- a/libavformat/4xm.c
+++ b/libavformat/4xm.c
@@ -154,7 +154,7 @@ static int parse_strk(AVFormatContext *s,
 
     if (fourxm->tracks[track].channels    <= 0 ||
         fourxm->tracks[track].sample_rate <= 0 ||
-        fourxm->tracks[track].bits        < 0) {
+        fourxm->tracks[track].bits        <= 0) {
         av_log(s, AV_LOG_ERROR, "audio header invalid\n");
         return AVERROR_INVALIDDATA;
     }

From 9486e98712879e1f3b2d83bbfc361e402b535005 Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Sat, 24 Aug 2013 21:30:46 +0200
Subject: [PATCH 4/6] ape demuxer: check for EOF in potentially long loops

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry-picked from commit 488b2984fece7ad0c2596826fee18e74aa904667)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
---
 libavformat/ape.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavformat/ape.c b/libavformat/ape.c
index d67e684167..a9c695efe0 100644
--- a/libavformat/ape.c
+++ b/libavformat/ape.c
@@ -276,7 +276,9 @@ static int ape_read_header(AVFormatContext * s)
         ape->seektable = av_malloc(ape->seektablelength);
         if (!ape->seektable)
             return AVERROR(ENOMEM);
-        for (i = 0; i < ape->seektablelength / sizeof(uint32_t); i++)
+        for (i = 0;
+             i < ape->seektablelength / sizeof(uint32_t) && !pb->eof_reached;
+             i++)
             ape->seektable[i] = avio_rl32(pb);
     }
 

From 3d91117df0034ca9458e4b791a182082a50a6ad9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Storsj=C3=B6?= <martin@martin.st>
Date: Tue, 3 Sep 2013 11:54:03 +0300
Subject: [PATCH 5/6] alac: Limit max_samples_per_frame
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Otherwise buffer size calculations in allocate_buffers could
overflow later, making the code think a large enough buffer
actually was allocated.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit f7c5883126f9440547933eefcf000aa78af4821c)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
---
 libavcodec/alac.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavcodec/alac.c b/libavcodec/alac.c
index 1a3f769513..b69efc30dd 100644
--- a/libavcodec/alac.c
+++ b/libavcodec/alac.c
@@ -495,7 +495,8 @@ static int alac_set_info(ALACContext *alac)
     bytestream2_skipu(&gb, 12); // size:4, alac:4, version:4
 
     alac->max_samples_per_frame = bytestream2_get_be32u(&gb);
-    if (!alac->max_samples_per_frame || alac->max_samples_per_frame > INT_MAX) {
+    if (!alac->max_samples_per_frame ||
+        alac->max_samples_per_frame > INT_MAX / sizeof(int32_t)) {
         av_log(alac->avctx, AV_LOG_ERROR, "max samples per frame invalid: %u\n",
                alac->max_samples_per_frame);
         return AVERROR_INVALIDDATA;

From aade60ab165716523788cd11caf03ae61b40144a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Storsj=C3=B6?= <martin@martin.st>
Date: Tue, 3 Sep 2013 12:10:50 +0300
Subject: [PATCH 6/6] matroskadec: Check that .lang was allocated and set
 before reading it
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 5bcd3ae5b167fb74215520b01d5d810e0c8986ab)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
---
 libavformat/matroskadec.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 147c24cf86..fe4d932cf2 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1157,7 +1157,8 @@ static void matroska_convert_tag(AVFormatContext *s, EbmlList *list,
     int i;
 
     for (i=0; i < list->nb_elem; i++) {
-        const char *lang = strcmp(tags[i].lang, "und") ? tags[i].lang : NULL;
+        const char *lang = tags[i].lang && strcmp(tags[i].lang, "und") ?
+                           tags[i].lang : NULL;
 
         if (!tags[i].name) {
             av_log(s, AV_LOG_WARNING, "Skipping invalid tag with no TagName.\n");