Merge branch 'release/0.8' into release/0.7

* release/0.8: (21 commits)
  rtp: Fix integer underflow that could allow remote code execution.
  cavsdec: avoid possible crash with crafted input
  vf_scale: apply the same transform to the aspect during init that is applied per frame
  Fix memory corruption in case of memory allocation failure in av_probe_input_buffer()
  Make all option parsing functions match the function pointer type through which they are called.
  mjpegdec; even better RSTn skiping Fixes Ticket426
  jpegdec: better rst skiping Fixes Ticket426
  mpeg4: fix another packed divx issue. Fixes getting_stuck.avi
  mpeg4: adjust dummy frame threashold for packed divx. Fixes Ticket427
  configure: add missing CFLAGS to fix building on the HURD
  cavs: fix some crashes with invalid bitstreams
  jpegdec: actually search for and parse RSTn
  Fix compilation with --disable-avfilter. (cherry picked from commit 67a8251690)
  libavfilter: fix --enable-small
  0.8.2
  cavs: fix oCERT #2011-002 FFmpeg/libavcodec insufficient boundary check
  Fix possible crash when decoding mpeg streams.
  Bink: clip AC coefficients during dequantization.
  ffmpeg: fix passlogfile regression
  Fix several security issues in matroskadec.c (MSVR-11-0080).
  ...

Conflicts:
	Doxyfile
	RELEASE
	VERSION

Merged-by: Michael Niedermayer <michaelni@gmx.at>

VERSION

@@ -1 +1,2 @@
 0.7.3
+

configure

@@ -2537,6 +2537,7 @@ case $target_os in
         add_cppflags -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600 -D_BSD_SOURCE
         ;;
     gnu)
+        add_cppflags -D_POSIX_C_SOURCE=200112 -D_XOPEN_SOURCE=600
         ;;
     qnx)
         add_cppflags -D_QNX_SOURCE

libavcodec/cavsdec.c

@@ -125,6 +125,8 @@ static int decode_residual_block(AVSContext *h, GetBitContext *gb,
         level_code = get_ue_code(gb,r->golomb_order);
         if(level_code >= ESCAPE_CODE) {
             run = ((level_code - ESCAPE_CODE) >> 1) + 1;
+            if(run > 64)
+                return -1;
             esc_code = get_ue_code(gb,esc_golomb_order);
             level = esc_code + (run > r->max_run ? 1 : r->level_add[run]);
             while(level > r->inc_limit)
@@ -164,7 +166,7 @@ static inline int decode_residual_inter(AVSContext *h) {
 
     /* get coded block pattern */
     int cbp= get_ue_golomb(&h->s.gb);
-    if(cbp > 63){
+    if(cbp > 63U){
         av_log(h->s.avctx, AV_LOG_ERROR, "illegal inter cbp\n");
         return -1;
     }
@@ -190,7 +192,8 @@ static inline int decode_residual_inter(AVSContext *h) {
 
 static int decode_mb_i(AVSContext *h, int cbp_code) {
     GetBitContext *gb = &h->s.gb;
-    int block, pred_mode_uv;
+    unsigned pred_mode_uv;
+    int block;
     uint8_t top[18];
     uint8_t *left = NULL;
     uint8_t *d;
@@ -223,7 +226,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code) {
     /* get coded block pattern */
     if(h->pic_type == AV_PICTURE_TYPE_I)
         cbp_code = get_ue_golomb(gb);
-    if(cbp_code > 63){
+    if(cbp_code > 63U){
         av_log(h->s.avctx, AV_LOG_ERROR, "illegal intra cbp\n");
         return -1;
     }
@@ -446,6 +449,8 @@ static inline int check_for_slice(AVSContext *h) {
     if((show_bits_long(gb,24+align) & 0xFFFFFF) == 0x000001) {
         skip_bits_long(gb,24+align);
         h->stc = get_bits(gb,8);
+        if (h->stc >= h->mb_height)
+            return 0;
         decode_slice_header(h,gb);
         return 1;
     }
@@ -660,7 +665,7 @@ static int cavs_decode_frame(AVCodecContext * avctx,void *data, int *data_size,
     buf_end = buf + buf_size;
     for(;;) {
         buf_ptr = ff_find_start_code(buf_ptr,buf_end, &stc);
-        if(stc & 0xFFFFFE00)
+        if((stc & 0xFFFFFE00) || buf_ptr == buf_end)
             return FFMAX(0, buf_ptr - buf - s->parse_context.last_index);
         input_size = (buf_end - buf_ptr)*8;
         switch(stc) {

libavfilter/vf_scale.c

@@ -232,6 +232,11 @@ static int config_props(AVFilterLink *outlink)
     if (!scale->sws)
         return AVERROR(EINVAL);
 
+    if (inlink->sample_aspect_ratio.num){
+        outlink->sample_aspect_ratio = av_mul_q((AVRational){outlink->h * inlink->w, outlink->w * inlink->h}, inlink->sample_aspect_ratio);
+    } else
+        outlink->sample_aspect_ratio = inlink->sample_aspect_ratio;
+
     return 0;
 
 fail:

libavformat/rtpdec_asf.c

@@ -235,6 +235,8 @@ static int asfrtp_parse_packet(AVFormatContext *s, PayloadContext *asf,
                 int prev_len = out_len;
                 out_len += cur_len;
                 asf->buf = av_realloc(asf->buf, out_len);
+                if(!asf->buf || FFMIN(cur_len, len - off)<0)
+                    return -1;
                 memcpy(asf->buf + prev_len, buf + off,
                        FFMIN(cur_len, len - off));
                 avio_skip(pb, cur_len);

libavformat/utils.c

@@ -596,13 +596,19 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt,
         probe_size = FFMIN(probe_size<<1, FFMAX(max_probe_size, probe_size+1))) {
         int ret, score = probe_size < max_probe_size ? AVPROBE_SCORE_MAX/4 : 0;
         int buf_offset = (probe_size == PROBE_BUF_MIN) ? 0 : probe_size>>1;
+        void *buftmp;
 
         if (probe_size < offset) {
             continue;
         }
 
         /* read probe data */
-        buf = av_realloc(buf, probe_size + AVPROBE_PADDING_SIZE);
+        buftmp = av_realloc(buf, probe_size + AVPROBE_PADDING_SIZE);
+        if(!buftmp){
+            av_free(buf);
+            return AVERROR(ENOMEM);
+        }
+        buf=buftmp;
         if ((ret = avio_read(pb, buf + buf_offset, probe_size - buf_offset)) < 0) {
             /* fail if error was not end of file, otherwise, lower score */
             if (ret != AVERROR_EOF) {