update for 0.10.12

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Doxyfile

@@ -31,7 +31,7 @@ PROJECT_NAME           = FFmpeg
 # This could be handy for archiving the generated documentation or
 # if some version control system is used.
 
-PROJECT_NUMBER         = 0.10.11
+PROJECT_NUMBER         = 0.10.12
 
 # With the PROJECT_LOGO tag one can specify an logo or icon that is included
 # in the documentation. The maximum height of the logo should not exceed 55

RELEASE

@@ -1 +1 @@
-0.10.11
+0.10.12

VERSION

@@ -1 +1 @@
-0.10.11
+0.10.12

libavcodec/arm/asm.S

@@ -132,6 +132,13 @@ T       ldr             \rt, [\rn]
 T       add             \rn, \rn, \rm
 .endm
 
+.macro  ldrc_pre        cc,  rt,  rn,  rm:vararg
+A       ldr\cc          \rt, [\rn, \rm]!
+T       itt             \cc
+T       add\cc          \rn, \rn, \rm
+T       ldr\cc          \rt, [\rn]
+.endm
+
 .macro  ldrd_reg        rt,  rt2, rn,  rm
 A       ldrd            \rt, \rt2, [\rn, \rm]
 T       add             \rt, \rn, \rm

libavcodec/arm/dsputil_armv6.S

@@ -146,10 +146,11 @@ function ff_put_pixels8_y2_armv6, export=1
         eor             r7,  r5,  r7
         uadd8           r10, r10, r6
         and             r7,  r7,  r12
-        ldr_pre         r6,  r1,  r2
+        ldrc_pre        ne,  r6,  r1,  r2
         uadd8           r11, r11, r7
         strd_post       r8,  r9,  r0,  r2
-        ldr             r7,  [r1, #4]
+        it              ne
+        ldrne           r7,  [r1, #4]
         strd_post       r10, r11, r0,  r2
         bne             1b
 
@@ -198,9 +199,10 @@ function ff_put_pixels8_y2_no_rnd_armv6, export=1
         uhadd8          r9,  r5,  r7
         ldr             r5,  [r1, #4]
         uhadd8          r12, r4,  r6
-        ldr_pre         r6,  r1,  r2
+        ldrc_pre        ne,  r6,  r1,  r2
         uhadd8          r14, r5,  r7
-        ldr             r7,  [r1, #4]
+        it              ne
+        ldrne           r7,  [r1, #4]
         stm             r0,  {r8,r9}
         add             r0,  r0,  r2
         stm             r0,  {r12,r14}

libavcodec/cavsdec.c

@@ -166,8 +166,8 @@ static inline int decode_residual_inter(AVSContext *h) {
 
     /* get coded block pattern */
     int cbp= get_ue_golomb(&h->s.gb);
-    if(cbp > 63U){
+    if(cbp > 63 || cbp < 0){
-        av_log(h->s.avctx, AV_LOG_ERROR, "illegal inter cbp\n");
+        av_log(h->s.avctx, AV_LOG_ERROR, "illegal inter cbp %d\n", cbp);
         return -1;
     }
     h->cbp = cbp_tab[cbp][1];
@@ -226,7 +226,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code) {
     /* get coded block pattern */
     if(h->pic_type == AV_PICTURE_TYPE_I)
         cbp_code = get_ue_golomb(gb);
-    if(cbp_code > 63U){
+    if(cbp_code > 63 || cbp_code < 0 ){
         av_log(h->s.avctx, AV_LOG_ERROR, "illegal intra cbp\n");
         return -1;
     }

libavcodec/dnxhdenc.c

@@ -220,7 +220,7 @@ static int dnxhd_init_qmat(DNXHDEncContext *ctx, int lbias, int cbias)
 
 static int dnxhd_init_rc(DNXHDEncContext *ctx)
 {
-    FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_rc, 8160*ctx->m.avctx->qmax*sizeof(RCEntry), fail);
+    FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_rc, 8160*(ctx->m.avctx->qmax + 1)*sizeof(RCEntry), fail);
     if (ctx->m.avctx->mb_decision != FF_MB_DECISION_RD)
         FF_ALLOCZ_OR_GOTO(ctx->m.avctx, ctx->mb_cmp, ctx->m.mb_num*sizeof(RCCMPEntry), fail);
 

libavcodec/dsputil.c

@@ -1912,7 +1912,7 @@ void ff_set_cmp(DSPContext* c, me_cmp_func *cmp, int type){
 
 static void add_bytes_c(uint8_t *dst, uint8_t *src, int w){
     long i;
-    for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){
+    for (i = 0; i <= w - (int) sizeof(long); i += sizeof(long)) {
         long a = *(long*)(src+i);
         long b = *(long*)(dst+i);
         *(long*)(dst+i) = ((a&pb_7f) + (b&pb_7f)) ^ ((a^b)&pb_80);
@@ -1937,7 +1937,7 @@ static void diff_bytes_c(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w){
         }
     }else
 #endif
-    for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){
+    for (i = 0; i <= w - (int) sizeof(long); i += sizeof(long)) {
         long a = *(long*)(src1+i);
         long b = *(long*)(src2+i);
         *(long*)(dst+i) = ((a|pb_80) - (b&pb_7f)) ^ ((a^b^pb_80)&pb_80);

libavcodec/flashsv.c

@@ -389,7 +389,9 @@ static int flashsv_decode_frame(AVCodecContext *avctx, void *data,
                     s->diff_start  = get_bits(&gb, 8);
                     s->diff_height = get_bits(&gb, 8);
                     if (s->diff_start + s->diff_height > cur_blk_height) {
-                        av_log(avctx, AV_LOG_ERROR, "Block parameters invalid\n");
+                        av_log(avctx, AV_LOG_ERROR,
+                               "Block parameters invalid: %d + %d > %d\n",
+                               s->diff_start, s->diff_height, cur_blk_height);
                         return AVERROR_INVALIDDATA;
                     }
                     av_log(avctx, AV_LOG_DEBUG,

libavcodec/get_bits.h

@@ -355,7 +355,7 @@ static inline int init_get_bits(GetBitContext *s, const uint8_t *buffer,
     int buffer_size;
     int ret = 0;
 
-    if (bit_size > INT_MAX - 7 || bit_size < 0) {
+    if (bit_size > INT_MAX - 7 || bit_size < 0 || !buffer) {
         buffer_size = bit_size = 0;
         buffer = NULL;
         ret = AVERROR_INVALIDDATA;

libavcodec/h264.c

@@ -2672,7 +2672,14 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
     h->slice_type= slice_type;
     h->slice_type_nos= slice_type & 3;
 
-    s->pict_type= h->slice_type; // to make a few old functions happy, it's wrong though
+    if (h->nal_unit_type  == NAL_IDR_SLICE &&
+        h->slice_type_nos != AV_PICTURE_TYPE_I) {
+        av_log(h->s.avctx, AV_LOG_ERROR, "A non-intra slice in an IDR NAL unit.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
+    // to make a few old functions happy, it's wrong though
+    s->pict_type = h->slice_type;
 
     pps_id= get_ue_golomb(&s->gb);
     if(pps_id>=MAX_PPS_COUNT){
@@ -3224,8 +3231,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
     }
 
     h->deblocking_filter = 1;
-    h->slice_alpha_c0_offset = 52;
+    h->slice_alpha_c0_offset = 0;
-    h->slice_beta_offset = 52;
+    h->slice_beta_offset = 0;
     if( h->pps.deblocking_filter_parameters_present ) {
         tmp= get_ue_golomb_31(&s->gb);
         if(tmp > 2){
@@ -3236,12 +3243,16 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
         if(h->deblocking_filter < 2)
             h->deblocking_filter^= 1; // 1<->0
 
-        if( h->deblocking_filter ) {
+        if (h->deblocking_filter) {
-            h->slice_alpha_c0_offset += get_se_golomb(&s->gb) << 1;
+            h->slice_alpha_c0_offset = get_se_golomb(&s->gb) * 2;
-            h->slice_beta_offset     += get_se_golomb(&s->gb) << 1;
+            h->slice_beta_offset     = get_se_golomb(&s->gb) * 2;
-            if(   h->slice_alpha_c0_offset > 104U
+            if (h->slice_alpha_c0_offset >  12 ||
-               || h->slice_beta_offset     > 104U){
+                h->slice_alpha_c0_offset < -12 ||
-                av_log(s->avctx, AV_LOG_ERROR, "deblocking filter parameters %d %d out of range\n", h->slice_alpha_c0_offset, h->slice_beta_offset);
+                h->slice_beta_offset >  12     ||
+                h->slice_beta_offset < -12) {
+                av_log(s->avctx, AV_LOG_ERROR,
+                       "deblocking filter parameters %d %d out of range\n",
+                       h->slice_alpha_c0_offset, h->slice_beta_offset);
                 return -1;
             }
         }
@@ -3270,14 +3281,12 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
             }
         }
     }
-    h->qp_thresh = 15 + 52 - FFMIN(h->slice_alpha_c0_offset, h->slice_beta_offset)
+    h->qp_thresh = 15 -
-                 - FFMAX3(0, h->pps.chroma_qp_index_offset[0], h->pps.chroma_qp_index_offset[1])
+                   FFMIN(h->slice_alpha_c0_offset, h->slice_beta_offset) -
-                 + 6 * (h->sps.bit_depth_luma - 8);
+                   FFMAX3(0,
-
+                          h->pps.chroma_qp_index_offset[0],
-#if 0 //FMO
+                          h->pps.chroma_qp_index_offset[1]) +
-    if( h->pps.num_slice_groups > 1  && h->pps.mb_slice_group_map_type >= 3 && h->pps.mb_slice_group_map_type <= 5)
+                   6 * (h->sps.bit_depth_luma - 8);
-        slice_group_change_cycle= get_bits(&s->gb, ?);
-#endif
 
     h0->last_slice_type = slice_type;
     h->slice_num = ++h0->current_slice;
@@ -3338,7 +3347,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
                s->current_picture_ptr->field_poc[0], s->current_picture_ptr->field_poc[1],
                h->ref_count[0], h->ref_count[1],
                s->qscale,
-               h->deblocking_filter, h->slice_alpha_c0_offset/2-26, h->slice_beta_offset/2-26,
+               h->deblocking_filter,
+               h->slice_alpha_c0_offset, h->slice_beta_offset,
                h->use_weight,
                h->use_weight==1 && h->use_weight_chroma ? "c" : "",
                h->slice_type == AV_PICTURE_TYPE_B ? (h->direct_spatial_mv_pred ? "SPAT" : "TEMP") : ""

libavcodec/h264_cavlc.c

@@ -770,6 +770,10 @@ decode_intra_mb:
 
         // We assume these blocks are very rare so we do not optimize it.
         align_get_bits(&s->gb);
+        if (get_bits_left(&s->gb) < mb_size) {
+            av_log(s->avctx, AV_LOG_ERROR, "Not enough data for an intra PCM block.\n");
+            return AVERROR_INVALIDDATA;
+        }
 
         // The pixels are stored in the same order as levels in h->mb array.
         for(x=0; x < mb_size; x++){

libavcodec/h264_loopfilter.c

@@ -254,8 +254,8 @@ static av_always_inline void h264_filter_mb_fast_internal(H264Context *h,
     int top_type= h->top_type;
 
     int qp_bd_offset = 6 * (h->sps.bit_depth_luma - 8);
-    int a = h->slice_alpha_c0_offset - qp_bd_offset;
+    int a = 52 + h->slice_alpha_c0_offset - qp_bd_offset;
-    int b = h->slice_beta_offset - qp_bd_offset;
+    int b = 52 + h->slice_beta_offset - qp_bd_offset;
 
     int mb_type = s->current_picture.f.mb_type[mb_xy];
     int qp      = s->current_picture.f.qscale_table[mb_xy];
@@ -715,8 +715,8 @@ void ff_h264_filter_mb( H264Context *h, int mb_x, int mb_y, uint8_t *img_y, uint
     av_unused int dir;
     int chroma = !(CONFIG_GRAY && (s->flags&CODEC_FLAG_GRAY));
     int qp_bd_offset = 6 * (h->sps.bit_depth_luma - 8);
-    int a = h->slice_alpha_c0_offset - qp_bd_offset;
+    int a = 52 + h->slice_alpha_c0_offset - qp_bd_offset;
-    int b = h->slice_beta_offset - qp_bd_offset;
+    int b = 52 + h->slice_beta_offset - qp_bd_offset;
 
     if (FRAME_MBAFF
             // and current and left pair do not have the same interlaced type

libavcodec/h264_ps.c

@@ -250,7 +250,9 @@ static inline int decode_vui_parameters(H264Context *h, SPS *sps){
         }
 
         if(sps->num_reorder_frames > 16U /*max_dec_frame_buffering || max_dec_frame_buffering > 16*/){
-            av_log(h->s.avctx, AV_LOG_ERROR, "illegal num_reorder_frames %d\n", sps->num_reorder_frames);
+            av_log(h->s.avctx, AV_LOG_ERROR, "Clipping illegal num_reorder_frames %d\n",
+                   sps->num_reorder_frames);
+            sps->num_reorder_frames = 16;
             return -1;
         }
     }

libavcodec/lagarith.c

@@ -52,6 +52,7 @@ typedef struct LagarithContext {
     int zeros;                  /**< number of consecutive zero bytes encountered */
     int zeros_rem;              /**< number of zero bytes remaining to output */
     uint8_t *rgb_planes;
+    int      rgb_planes_allocated;
     int rgb_stride;
 } LagarithContext;
 
@@ -507,13 +508,12 @@ static int lag_decode_frame(AVCodecContext *avctx,
         offs[2] = 13;
         offs[3] = AV_RL32(buf + 9);
 
+        l->rgb_stride = FFALIGN(avctx->width, 16);
+        av_fast_malloc(&l->rgb_planes, &l->rgb_planes_allocated,
+                       l->rgb_stride * avctx->height * 4 + 1);
         if (!l->rgb_planes) {
-            l->rgb_stride = FFALIGN(avctx->width, 16);
+            av_log(avctx, AV_LOG_ERROR, "cannot allocate temporary buffer\n");
-            l->rgb_planes = av_malloc(l->rgb_stride * avctx->height * 4);
+            return AVERROR(ENOMEM);
-            if (!l->rgb_planes) {
-                av_log(avctx, AV_LOG_ERROR, "cannot allocate temporary buffer\n");
-                return AVERROR(ENOMEM);
-            }
         }
         for (i = 0; i < 4; i++)
             srcs[i] = l->rgb_planes + (i + 1) * l->rgb_stride * avctx->height - l->rgb_stride;

libavcodec/lagarithrac.h

@@ -107,6 +107,9 @@ static inline uint8_t lag_get_rac(lag_rac *l)
         l->range -= range_scaled * l->prob[255];
     }
 
+    if (!l->range)
+        l->range = 0x80;
+
     l->low -= range_scaled * l->prob[val];
 
     return val;

libavcodec/msrle.c

@@ -35,6 +35,7 @@
 #include "avcodec.h"
 #include "dsputil.h"
 #include "msrledec.h"
+#include "libavutil/imgutils.h"
 
 typedef struct MsrleContext {
     AVCodecContext *avctx;
@@ -108,7 +109,7 @@ static int msrle_decode_frame(AVCodecContext *avctx,
 
     /* FIXME how to correctly detect RLE ??? */
     if (avctx->height * istride == avpkt->size) { /* assume uncompressed */
-        int linesize = (avctx->width * avctx->bits_per_coded_sample + 7) / 8;
+        int linesize = av_image_get_linesize(avctx->pix_fmt, avctx->width, 0);
         uint8_t *ptr = s->frame.data[0];
         uint8_t *buf = avpkt->data + (avctx->height-1)*istride;
         int i, j;

libavcodec/rpza.c

@@ -38,6 +38,7 @@
 #include <stdlib.h>
 #include <string.h>
 
+#include "libavutil/common.h"
 #include "libavutil/intreadwrite.h"
 #include "avcodec.h"
 
@@ -125,6 +126,8 @@ static void rpza_decode_stream(RpzaContext *s)
             }
         }
 
+        n_blocks = FFMIN(n_blocks, total_blocks);
+
         switch (opcode & 0xe0) {
 
         /* Skip blocks */

libavcodec/shorten.c

@@ -431,7 +431,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data,
         void *tmp_ptr;
         s->max_framesize = 1024; // should hopefully be enough for the first header
         tmp_ptr = av_fast_realloc(s->bitstream, &s->allocated_bitstream_size,
-                                  s->max_framesize);
+                                  s->max_framesize + FF_INPUT_BUFFER_PADDING_SIZE);
         if (!tmp_ptr) {
             av_log(avctx, AV_LOG_ERROR, "error allocating bitstream buffer\n");
             return AVERROR(ENOMEM);

libavcodec/snow.h

@@ -311,7 +311,8 @@ static av_always_inline void add_yblock(SnowContext *s, int sliced, slice_buffer
         if(!sliced && !offset_dst)
             dst -= src_x;
         src_x=0;
-    }else if(src_x + b_w > w){
+    }
+    if(src_x + b_w > w){
         b_w = w - src_x;
     }
     if(src_y<0){
@@ -320,7 +321,8 @@ static av_always_inline void add_yblock(SnowContext *s, int sliced, slice_buffer
         if(!sliced && !offset_dst)
             dst -= src_y*dst_stride;
         src_y=0;
-    }else if(src_y + b_h> h){
+    }
+    if(src_y + b_h> h){
         b_h = h - src_y;
     }
 

libavcodec/truemotion1.c

@@ -320,6 +320,11 @@ static int truemotion1_decode_header(TrueMotion1Context *s)
         return -1;
     }
 
+    if (header.header_size + 1 > s->size) {
+        av_log(s->avctx, AV_LOG_ERROR, "Input packet too small.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     /* unscramble the header bytes with a XOR operation */
     memset(header_buffer, 0, 128);
     for (i = 1; i < header.header_size; i++)

libavcodec/twinvq.c

@@ -996,7 +996,7 @@ static void linear_perm(int16_t *out, int16_t *in, int n_blocks, int size)
         out[i] = block_size * (in[i] % n_blocks) + in[i] / n_blocks;
 }
 
-static av_cold void construct_perm_table(TwinContext *tctx,enum FrameType ftype)
+static av_cold void construct_perm_table(TwinContext *tctx, int ftype)
 {
     int block_size;
     const ModeTab *mtab = tctx->mtab;

libavcodec/vc1.c

@@ -578,6 +578,8 @@ int vc1_parse_frame_header(VC1Context *v, GetBitContext* gb)
 {
     int pqindex, lowquant, status;
 
+    v->field_mode = 0;
+    v->fcm = 0;
     if (v->finterpflag)
         v->interpfrm = get_bits1(gb);
     skip_bits(gb, 2); //framecnt unused
@@ -824,7 +826,7 @@ int vc1_parse_frame_header_adv(VC1Context *v, GetBitContext* gb)
     int mbmodetab, imvtab, icbptab, twomvbptab, fourmvbptab; /* useful only for debugging */
     int scale, shift, i; /* for initializing LUT for intensity compensation */
 
-    v->numref=0;
+    v->numref          = 0;
     v->p_frame_skipped = 0;
     if (v->second_field) {
         if(v->fcm!=2 || v->field_mode!=1)

libavcodec/vmnc.c

@@ -275,6 +275,11 @@ static int decode_hextile(VmncContext *c, uint8_t* dst, const uint8_t* src, int
                     }
                     xy = *src++;
                     wh = *src++;
+                    if (   (xy >> 4) + (wh >> 4) + 1 > w - i
+                        || (xy & 0xF) + (wh & 0xF)+1 > h - j) {
+                        av_log(c->avctx, AV_LOG_ERROR, "Rectangle outside picture\n");
+                        return AVERROR_INVALIDDATA;
+                    }
                     paint_rect(dst2, xy >> 4, xy & 0xF, (wh>>4)+1, (wh & 0xF)+1, fg, bpp, stride);
                 }
             }

libavcodec/vqavideo.c

@@ -534,6 +534,12 @@ static int vqa_decode_chunk(VqaContext *s)
         bytestream2_seek(&s->gb, cbp0_chunk, SEEK_SET);
         chunk_size = bytestream2_get_be32(&s->gb);
 
+        if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) {
+            av_log(s->avctx, AV_LOG_ERROR, "cbp0 chunk too large (%u bytes)\n",
+                   chunk_size);
+            return AVERROR_INVALIDDATA;
+        }
+
         /* accumulate partial codebook */
         bytestream2_get_buffer(&s->gb, &s->next_codebook_buffer[s->next_codebook_buffer_index],
                                chunk_size);
@@ -557,6 +563,12 @@ static int vqa_decode_chunk(VqaContext *s)
         bytestream2_seek(&s->gb, cbpz_chunk, SEEK_SET);
         chunk_size = bytestream2_get_be32(&s->gb);
 
+        if (chunk_size > MAX_CODEBOOK_SIZE - s->next_codebook_buffer_index) {
+            av_log(s->avctx, AV_LOG_ERROR, "cbpz chunk too large (%u bytes)\n",
+                   chunk_size);
+            return AVERROR_INVALIDDATA;
+        }
+
         /* accumulate partial codebook */
         bytestream2_get_buffer(&s->gb, &s->next_codebook_buffer[s->next_codebook_buffer_index],
                                chunk_size);

libavcodec/wmalosslessdec.c

@@ -238,11 +238,11 @@ typedef struct WmallDecodeCtx {
 
     int8_t mclms_order;
     int8_t mclms_scaling;
-    int16_t mclms_coeffs[128];
+    int16_t mclms_coeffs[WMALL_MAX_CHANNELS * WMALL_MAX_CHANNELS * 32];
-    int16_t mclms_coeffs_cur[4];
+    int16_t mclms_coeffs_cur[WMALL_MAX_CHANNELS * WMALL_MAX_CHANNELS];
-    int16_t mclms_prevvalues[64];   // FIXME: should be 32-bit / 16-bit depending on bit-depth
+    int16_t mclms_prevvalues[WMALL_MAX_CHANNELS * 2 * 32];
-    int16_t mclms_updates[64];
+    int16_t mclms_updates[WMALL_MAX_CHANNELS * 2 * 32];
-    int mclms_recent;
+    int     mclms_recent;
 
     int movave_scaling;
     int quant_stepsize;

libavformat/avidec.c

@@ -940,7 +940,7 @@ start_sync:
             goto start_sync;
         }
 
-        n= get_stream_idx(d);
+        n = avi->dv_demux ? 0 : get_stream_idx(d);
 
         if(!((i-avi->last_pkt_pos)&1) && get_stream_idx(d+1) < s->nb_streams)
             continue;
@@ -1051,6 +1051,8 @@ static int avi_read_packet(AVFormatContext *s, AVPacket *pkt)
         int size = avpriv_dv_get_packet(avi->dv_demux, pkt);
         if (size >= 0)
             return size;
+        else
+            goto resync;
     }
 
     if(avi->non_interleaved){
@@ -1392,12 +1394,17 @@ static int avi_read_seek(AVFormatContext *s, int stream_index, int64_t timestamp
     int64_t pos, pos_min;
     AVIStream *ast;
 
+    /* Does not matter which stream is requested dv in avi has the
+     * stream information in the first video stream.
+     */
+    if (avi->dv_demux)
+        stream_index = 0;
+
     if (!avi->index_loaded) {
         /* we only load the index on demand */
         avi_load_index(s);
         avi->index_loaded |= 1;
     }
-    assert(stream_index>= 0);
 
     st = s->streams[stream_index];
     ast= st->priv_data;
@@ -1415,7 +1422,6 @@ static int avi_read_seek(AVFormatContext *s, int stream_index, int64_t timestamp
         /* One and only one real stream for DV in AVI, and it has video  */
         /* offsets. Calling with other stream indexes should have failed */
         /* the av_index_search_timestamp call above.                     */
-        assert(stream_index == 0);
 
         if(avio_seek(s->pb, pos, SEEK_SET) < 0)
             return -1;

libavformat/mov.c

@@ -1694,6 +1694,7 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     if (entries >= UINT_MAX / sizeof(*sc->stts_data))
         return -1;
 
+    av_free(sc->stts_data);
     sc->stts_data = av_malloc(entries * sizeof(*sc->stts_data));
     if (!sc->stts_data)
         return AVERROR(ENOMEM);

libavformat/mpegtsenc.c

@@ -235,7 +235,7 @@ static void mpegts_write_pat(AVFormatContext *s)
                           data, q - data);
 }
 
-static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
+static int mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
 {
     //    MpegTSWrite *ts = s->priv_data;
     uint8_t data[1012], *q, *desc_length_ptr, *program_info_length_ptr;
@@ -288,6 +288,10 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
             stream_type = STREAM_TYPE_PRIVATE_DATA;
             break;
         }
+
+        if (q - data > sizeof(data) - 32)
+            return AVERROR(EINVAL);
+
         *q++ = stream_type;
         put16(&q, 0xe000 | ts_st->pid);
         desc_length_ptr = q;
@@ -311,7 +315,7 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
                 len_ptr = q++;
                 *len_ptr = 0;
 
-                for (p = lang->value; next && *len_ptr < 255 / 4 * 4; p = next + 1) {
+                for (p = lang->value; next && *len_ptr < 255 / 4 * 4 && q - data < sizeof(data) - 4; p = next + 1) {
                     next = strchr(p, ',');
                     if (strlen(p) != 3 && (!next || next != p + 3))
                         continue; /* not a 3-letter code */
@@ -373,6 +377,7 @@ static void mpegts_write_pmt(AVFormatContext *s, MpegTSService *service)
     }
     mpegts_write_section1(&service->pmt, PMT_TID, service->sid, 0, 0, 0,
                           data, q - data);
+    return 0;
 }
 
 /* NOTE: str == NULL is accepted for an empty string */

libavformat/oggparseogm.c

@@ -75,6 +75,11 @@ ogm_header(AVFormatContext *s, int idx)
 
         time_unit   = bytestream2_get_le64(&p);
         spu         = bytestream2_get_le64(&p);
+        if (!time_unit || !spu) {
+            av_log(s, AV_LOG_ERROR, "Invalid timing values.\n");
+            return AVERROR_INVALIDDATA;
+        }
+
         bytestream2_skip(&p, 4);    /* default_len */
         bytestream2_skip(&p, 8);    /* buffersize + bits_per_sample */
 

libavformat/segafilm.c

@@ -76,6 +76,16 @@ static int film_probe(AVProbeData *p)
     return AVPROBE_SCORE_MAX;
 }
 
+static int film_read_close(AVFormatContext *s)
+{
+    FilmDemuxContext *film = s->priv_data;
+
+    av_freep(&film->sample_table);
+    av_freep(&film->stereo_buffer);
+
+    return 0;
+}
+
 static int film_read_header(AVFormatContext *s,
                             AVFormatParameters *ap)
 {
@@ -83,7 +93,7 @@ static int film_read_header(AVFormatContext *s,
     AVIOContext *pb = s->pb;
     AVStream *st;
     unsigned char scratch[256];
-    int i;
+    int i, ret;
     unsigned int data_offset;
     unsigned int audio_frame_counter;
 
@@ -210,14 +220,16 @@ static int film_read_header(AVFormatContext *s,
     for (i = 0; i < film->sample_count; i++) {
         /* load the next sample record and transfer it to an internal struct */
         if (avio_read(pb, scratch, 16) != 16) {
-            av_free(film->sample_table);
+            ret = AVERROR(EIO);
-            return AVERROR(EIO);
+            goto fail;
         }
         film->sample_table[i].sample_offset =
             data_offset + AV_RB32(&scratch[0]);
         film->sample_table[i].sample_size = AV_RB32(&scratch[4]);
-        if (film->sample_table[i].sample_size > INT_MAX / 4)
+        if (film->sample_table[i].sample_size > INT_MAX / 4) {
-            return AVERROR_INVALIDDATA;
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
+        }
         if (AV_RB32(&scratch[8]) == 0xFFFFFFFF) {
             film->sample_table[i].stream = film->audio_stream_index;
             film->sample_table[i].pts = audio_frame_counter;
@@ -240,6 +252,9 @@ static int film_read_header(AVFormatContext *s,
     film->current_sample = 0;
 
     return 0;
+fail:
+    film_read_close(s);
+    return ret;
 }
 
 static int film_read_packet(AVFormatContext *s,
@@ -320,16 +335,6 @@ static int film_read_packet(AVFormatContext *s,
     return ret;
 }
 
-static int film_read_close(AVFormatContext *s)
-{
-    FilmDemuxContext *film = s->priv_data;
-
-    av_free(film->sample_table);
-    av_free(film->stereo_buffer);
-
-    return 0;
-}
-
 AVInputFormat ff_segafilm_demuxer = {
     .name           = "film_cpk",
     .long_name      = NULL_IF_CONFIG_SMALL("Sega FILM/CPK format"),

libavformat/utils.c

@@ -558,7 +558,6 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt,
     for(probe_size= PROBE_BUF_MIN; probe_size<=max_probe_size && !*fmt;
         probe_size = FFMIN(probe_size<<1, FFMAX(max_probe_size, probe_size+1))) {
         int score = probe_size < max_probe_size ? AVPROBE_SCORE_MAX/4 : 0;
-        int buf_offset = (probe_size == PROBE_BUF_MIN) ? 0 : probe_size>>1;
         void *buftmp;
 
         if (probe_size < offset) {
@@ -572,7 +571,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt,
             return AVERROR(ENOMEM);
         }
         buf=buftmp;
-        if ((ret = avio_read(pb, buf + buf_offset, probe_size - buf_offset)) < 0) {
+        if ((ret = avio_read(pb, buf + pd.buf_size, probe_size - pd.buf_size)) < 0) {
             /* fail if error was not end of file, otherwise, lower score */
             if (ret != AVERROR_EOF) {
                 av_free(buf);

libavutil/mathematics.c

@@ -23,7 +23,6 @@
  * miscellaneous math routines and tables
  */
 
-#include <assert.h>
 #include <stdint.h>
 #include <limits.h>
 #include "mathematics.h"
@@ -77,9 +76,9 @@ int64_t av_gcd(int64_t a, int64_t b){
 
 int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd){
     int64_t r=0;
-    assert(c > 0);
+
-    assert(b >=0);
+    if (c <= 0 || b < 0 || rnd == 4 || rnd > 5)
-    assert((unsigned)rnd<=5 && rnd!=4);
+        return INT64_MIN;
 
     if(a<0 && a != INT64_MIN) return -av_rescale_rnd(-a, b, c, rnd ^ ((rnd>>1)&1));
 

libavutil/samplefmt.c

@@ -114,6 +114,13 @@ int av_samples_get_buffer_size(int *linesize, int nb_channels, int nb_samples,
     if (!sample_size || nb_samples <= 0 || nb_channels <= 0)
         return AVERROR(EINVAL);
 
+    /* auto-select alignment if not specified */
+    if (!align) {
+        if (nb_samples > INT_MAX - 31)
+            return AVERROR(EINVAL);
+        align = 32;
+    }
+
     /* check for integer overflow */
     if (nb_channels > INT_MAX / align ||
         (int64_t)nb_channels * nb_samples > (INT_MAX - (align * nb_channels)) / sample_size)

libavutil/samplefmt.h

@@ -107,6 +107,7 @@ int av_sample_fmt_is_planar(enum AVSampleFormat sample_fmt);
  * @param nb_channels   the number of channels
  * @param nb_samples    the number of samples in a single channel
  * @param sample_fmt    the sample format
+ * @param align         buffer size alignment (0 = default, 1 = no alignment)
  * @return              required buffer size, or negative error code on failure
  */
 int av_samples_get_buffer_size(int *linesize, int nb_channels, int nb_samples,
@@ -130,7 +131,7 @@ int av_samples_get_buffer_size(int *linesize, int nb_channels, int nb_samples,
  * @param nb_channels      the number of channels
  * @param nb_samples       the number of samples in a single channel
  * @param sample_fmt       the sample format
- * @param align            buffer size alignment (1 = no alignment required)
+ * @param align            buffer size alignment (0 = default, 1 = no alignment)
  * @return                 0 on success or a negative error code on failure
  */
 int av_samples_fill_arrays(uint8_t **audio_data, int *linesize, uint8_t *buf,
@@ -146,7 +147,7 @@ int av_samples_fill_arrays(uint8_t **audio_data, int *linesize, uint8_t *buf,
  * @param[out] linesize    aligned size for audio buffer(s)
  * @param nb_channels      number of audio channels
  * @param nb_samples       number of samples per channel
- * @param align            buffer size alignment (1 = no alignment required)
+ * @param align            buffer size alignment (0 = default, 1 = no alignment)
  * @return                 0 on success or a negative error code on failure
  * @see av_samples_fill_arrays()
  */