From 716ee73c991cfa4a8a49670e2650ebd0e2d34df8 Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Thu, 28 Nov 2013 10:54:35 +0100
Subject: [PATCH 1/7] h264: reset num_reorder_frames if it is invalid

An invalid VUI is not considered a fatal error, so the SPS containing it
may still be used. Leaving an invalid value of num_reorder_frames there
can result in writing over the bounds of H264Context.delayed_pic.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 9ecabd7892ff073ae60ded3fc0a1290f5914ed5c)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Conflicts:
	libavcodec/h264_ps.c

(cherry picked from commit 299c5dcfb0cd3debdf07943edfb46f4aeb02ca91)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/h264_ps.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
index 00c5003a22..ee4711c147 100644
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -236,7 +236,9 @@ static inline int decode_vui_parameters(H264Context *h, SPS *sps){
         }
 
         if(sps->num_reorder_frames > 16U /*max_dec_frame_buffering || max_dec_frame_buffering > 16*/){
-            av_log(h->s.avctx, AV_LOG_ERROR, "illegal num_reorder_frames %d\n", sps->num_reorder_frames);
+            av_log(h->s.avctx, AV_LOG_ERROR, "Clipping illegal num_reorder_frames %d\n",
+                   sps->num_reorder_frames);
+            sps->num_reorder_frames = 16;
             return -1;
         }
     }

From 30c8a5e4f6c096eabb82c45177b945ebc85144fb Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sun, 19 Jan 2014 15:28:25 +0000
Subject: [PATCH 2/7] vc1: Always reset numref when parsing a new frame header.

Fixes an issue where the B-frame coding mode switches from interlaced
fields to interlaced frames, causing incorrect decisions in the motion
compensation code and resulting in visual artifacts.

CC: libav-stable@libav.org
Signed-off-by: Tim Walker <tdskywalker@gmail.com>
(cherry picked from commit dd2d0039b6405dc724e4fef0d5b8f49530eea3aa)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 3cc8d9bc1ffc6c0888960fb009f12fa3047bb663)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/vc1.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c
index 6135ebdc09..68e0d0d306 100644
--- a/libavcodec/vc1.c
+++ b/libavcodec/vc1.c
@@ -822,6 +822,7 @@ int vc1_parse_frame_header_adv(VC1Context *v, GetBitContext* gb)
     int mbmodetab, imvtab, icbptab, twomvbptab, fourmvbptab; /* useful only for debugging */
     int scale, shift, i; /* for initializing LUT for intensity compensation */
 
+    v->numref          = 0;
     v->p_frame_skipped = 0;
     if (v->second_field) {
         v->s.pict_type = (v->fptype & 1) ? AV_PICTURE_TYPE_P : AV_PICTURE_TYPE_I;

From e03b875c0b57d458d3fc693b37b01615fc7283e7 Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Thu, 12 Dec 2013 07:34:13 +0100
Subject: [PATCH 3/7] mathematics: remove asserts from av_rescale_rnd()

It is a public function, it must not assert on its parameters.

(cherry picked from commit 94a417acc05cc5151b473abc0bf51fad26f8c5a0)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 03bfd8419fbaf9c72b293457437bd508dea64736)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavutil/mathematics.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/libavutil/mathematics.c b/libavutil/mathematics.c
index e6ce2f98ad..51b0e95133 100644
--- a/libavutil/mathematics.c
+++ b/libavutil/mathematics.c
@@ -23,7 +23,6 @@
  * miscellaneous math routines and tables
  */
 
-#include <assert.h>
 #include <stdint.h>
 #include <limits.h>
 #include "mathematics.h"
@@ -76,9 +75,9 @@ int64_t av_gcd(int64_t a, int64_t b){
 
 int64_t av_rescale_rnd(int64_t a, int64_t b, int64_t c, enum AVRounding rnd){
     int64_t r=0;
-    assert(c > 0);
-    assert(b >=0);
-    assert((unsigned)rnd<=5 && rnd!=4);
+
+    if (c <= 0 || b < 0 || rnd == 4 || rnd > 5)
+        return INT64_MIN;
 
     if(a<0 && a != INT64_MIN) return -av_rescale_rnd(-a, b, c, rnd ^ ((rnd>>1)&1));
 

From b0db7a523df5ce5c5bcfb21d64a8f2a5fdcd5b42 Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Thu, 28 Nov 2013 10:54:35 +0100
Subject: [PATCH 4/7] oggparseogm: check timing variables

Fixes a potential divide by zero.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 75647dea6f7db79b409bad66a119f5c73da730f3)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit bf7c240a50f8ed99a42e08bb7a8a70262cce34ad)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavformat/oggparseogm.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavformat/oggparseogm.c b/libavformat/oggparseogm.c
index c761bbd7db..b74537c689 100644
--- a/libavformat/oggparseogm.c
+++ b/libavformat/oggparseogm.c
@@ -75,6 +75,11 @@ ogm_header(AVFormatContext *s, int idx)
 
         time_unit   = bytestream2_get_le64(&p);
         spu         = bytestream2_get_le64(&p);
+        if (!time_unit || !spu) {
+            av_log(s, AV_LOG_ERROR, "Invalid timing values.\n");
+            return AVERROR_INVALIDDATA;
+        }
+
         bytestream2_skip(&p, 4);    /* default_len */
         bytestream2_skip(&p, 8);    /* buffersize + bits_per_sample */
 

From 5522c564d48e1bb07d8cb722e8f94575a2683e29 Mon Sep 17 00:00:00 2001
From: Reinhard Tartler <siretart@tauware.de>
Date: Sun, 2 Feb 2014 12:54:52 -0500
Subject: [PATCH 5/7] Updated Changelog for 0.8.10

---
 Changelog | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/Changelog b/Changelog
index b9fb40a882..7855c11324 100644
--- a/Changelog
+++ b/Changelog
@@ -3,6 +3,23 @@ releases are sorted from youngest to oldest.
 
 version 0.8.10:
 
+- oggparseogm: check timing variables
+- mathematics: remove asserts from av_rescale_rnd()
+- vc1: Always reset numref when parsing a new frame header.
+- h264: reset num_reorder_frames if it is invalid
+- h264: check that an IDR NAL only contains I slices
+- mov: Free an earlier allocated array if allocating a new one
+- segafilm: fix leaks if reading the header fails
+- h264_cavlc: check the size of the intra PCM data.
+- cavs: Check for negative cbp
+- avi: DV in AVI must be considered single stream
+- avutil: use align == 0 for default alignment in audio sample buffer functions
+- flashsv: Check diff_start diff_height values
+- dsputil/pngdsp: fix signed/unsigned type in end comparison
+- vqavideo: check chunk sizes before reading chunks
+- avi: directly resync on DV in AVI read failure
+- get_bits: change the failure condition in init_get_bits
+- twinvq: Cope with gcc-4.8.2 miscompilation
 - pthread: Avoid spurious wakeups
 - pthread: Fix deadlock during thread initialization
 - mpegvideo: Initialize chroma_*_shift and codec_tag even if the size is 0

From 8cade1352bde1a1d4da70fc16a722a4fa7d2edc7 Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Mon, 13 Jan 2014 13:47:07 +0100
Subject: [PATCH 6/7] lavf: make av_probe_input_buffer more robust

Always use the actually read size as the offset instead of making
possibly invalid assumptions.

Addresses: CVE-2012-6618

(cherry picked from commit 2115a3597457231a6e5c0527fe0ff8550f64b733)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Conflicts:
	libavformat/utils.c

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 8575f5362f98c937758b20ff8512d6767a56208e)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavformat/utils.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/libavformat/utils.c b/libavformat/utils.c
index 7065b2f004..64a0b04ea0 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -514,7 +514,6 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt,
     for(probe_size= PROBE_BUF_MIN; probe_size<=max_probe_size && !*fmt;
         probe_size = FFMIN(probe_size<<1, FFMAX(max_probe_size, probe_size+1))) {
         int score = probe_size < max_probe_size ? AVPROBE_SCORE_MAX/4 : 0;
-        int buf_offset = (probe_size == PROBE_BUF_MIN) ? 0 : probe_size>>1;
 
         if (probe_size < offset) {
             continue;
@@ -522,7 +521,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt,
 
         /* read probe data */
         buf = av_realloc(buf, probe_size + AVPROBE_PADDING_SIZE);
-        if ((ret = avio_read(pb, buf + buf_offset, probe_size - buf_offset)) < 0) {
+        if ((ret = avio_read(pb, buf + pd.buf_size, probe_size - pd.buf_size)) < 0) {
             /* fail if error was not end of file, otherwise, lower score */
             if (ret != AVERROR_EOF) {
                 av_free(buf);

From 36017d49e2f797f7371dc24848a2285ca63e39ab Mon Sep 17 00:00:00 2001
From: Reinhard Tartler <siretart@tauware.de>
Date: Thu, 6 Feb 2014 23:26:33 -0500
Subject: [PATCH 7/7] Prepare for 0.8.11 Release

---
 RELEASE | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/RELEASE b/RELEASE
index ef50561618..83ce05d72f 100644
--- a/RELEASE
+++ b/RELEASE
@@ -1 +1 @@
-0.8.10
+0.8.11