From bd508d435b94584db460c684e30ea7ce180cf50f Mon Sep 17 00:00:00 2001
From: "Ronald S. Bultje" <rsbultje@gmail.com>
Date: Wed, 28 Mar 2012 11:53:13 -0700
Subject: [PATCH 1/6] truemotion2: convert packet header reading to
 bytestream2.

Also use correct buffer sizes in calls to tm2_read_stream(). Together,
this prevents overreads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
---
 libavcodec/truemotion2.c | 54 +++++++++++++++++++++++-----------------
 1 file changed, 31 insertions(+), 23 deletions(-)

diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c
index 97feaf1f37..a2170fcfb2 100644
--- a/libavcodec/truemotion2.c
+++ b/libavcodec/truemotion2.c
@@ -25,6 +25,7 @@
  */
 
 #include "avcodec.h"
+#include "bytestream.h"
 #include "get_bits.h"
 #include "dsputil.h"
 
@@ -248,13 +249,14 @@ static int tm2_read_deltas(TM2Context *ctx, int stream_id) {
 static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, int buf_size)
 {
     int i;
-    int cur = 0;
     int skip = 0;
-    int len, toks;
+    int len, toks, pos;
     TM2Codes codes;
+    GetByteContext gb;
 
     /* get stream length in dwords */
-    len = AV_RB32(buf); buf += 4; cur += 4;
+    bytestream2_init(&gb, buf, buf_size);
+    len  = bytestream2_get_be32(&gb);
     skip = len * 4 + 4;
 
     if(len == 0)
@@ -265,36 +267,37 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i
         return -1;
     }
 
-    toks = AV_RB32(buf); buf += 4; cur += 4;
+    toks = bytestream2_get_be32(&gb);
     if(toks & 1) {
-        len = AV_RB32(buf); buf += 4; cur += 4;
+        len = bytestream2_get_be32(&gb);
         if(len == TM2_ESCAPE) {
-            len = AV_RB32(buf); buf += 4; cur += 4;
+            len = bytestream2_get_be32(&gb);
         }
         if(len > 0) {
-            if (skip <= cur)
+            pos = bytestream2_tell(&gb);
+            if (skip <= pos)
                 return -1;
-            init_get_bits(&ctx->gb, buf, (skip - cur) * 8);
+            init_get_bits(&ctx->gb, buf + pos, (skip - pos) * 8);
             if(tm2_read_deltas(ctx, stream_id) == -1)
                 return -1;
-            buf += ((get_bits_count(&ctx->gb) + 31) >> 5) << 2;
-            cur += ((get_bits_count(&ctx->gb) + 31) >> 5) << 2;
+            bytestream2_skip(&gb, ((get_bits_count(&ctx->gb) + 31) >> 5) << 2);
         }
     }
     /* skip unused fields */
-    if(AV_RB32(buf) == TM2_ESCAPE) {
-        buf += 4; cur += 4; /* some unknown length - could be escaped too */
+    len = bytestream2_get_be32(&gb);
+    if(len == TM2_ESCAPE) { /* some unknown length - could be escaped too */
+        bytestream2_skip(&gb, 8); /* unused by decoder */
+    } else {
+        bytestream2_skip(&gb, 4); /* unused by decoder */
     }
-    buf += 4; cur += 4;
-    buf += 4; cur += 4; /* unused by decoder */
 
-    if (skip <= cur)
+    pos = bytestream2_tell(&gb);
+    if (skip <= pos)
         return -1;
-    init_get_bits(&ctx->gb, buf, (skip - cur) * 8);
+    init_get_bits(&ctx->gb, buf + pos, (skip - pos) * 8);
     if(tm2_build_huff_table(ctx, &codes) == -1)
         return -1;
-    buf += ((get_bits_count(&ctx->gb) + 31) >> 5) << 2;
-    cur += ((get_bits_count(&ctx->gb) + 31) >> 5) << 2;
+    bytestream2_skip(&gb, ((get_bits_count(&ctx->gb) + 31) >> 5) << 2);
 
     toks >>= 1;
     /* check if we have sane number of tokens */
@@ -305,11 +308,12 @@ static int tm2_read_stream(TM2Context *ctx, const uint8_t *buf, int stream_id, i
     }
     ctx->tokens[stream_id] = av_realloc(ctx->tokens[stream_id], toks * sizeof(int));
     ctx->tok_lens[stream_id] = toks;
-    len = AV_RB32(buf); buf += 4; cur += 4;
+    len = bytestream2_get_be32(&gb);
     if(len > 0) {
-        if (skip <= cur)
+        pos = bytestream2_tell(&gb);
+        if (skip <= pos)
             return -1;
-        init_get_bits(&ctx->gb, buf, (skip - cur) * 8);
+        init_get_bits(&ctx->gb, buf + pos, (skip - pos) * 8);
         for(i = 0; i < toks; i++) {
             if (get_bits_left(&ctx->gb) <= 0) {
                 av_log(ctx->avctx, AV_LOG_ERROR, "Incorrect number of tokens: %i\n", toks);
@@ -762,7 +766,7 @@ static int decode_frame(AVCodecContext *avctx,
                         AVPacket *avpkt)
 {
     const uint8_t *buf = avpkt->data;
-    int buf_size = avpkt->size;
+    int buf_size = avpkt->size & ~3;
     TM2Context * const l = avctx->priv_data;
     AVFrame * const p = &l->pic;
     int i, skip, t;
@@ -790,7 +794,11 @@ static int decode_frame(AVCodecContext *avctx,
     }
 
     for(i = 0; i < TM2_NUM_STREAMS; i++){
-        t = tm2_read_stream(l, swbuf + skip, tm2_stream_order[i], buf_size);
+        if (skip >= buf_size) {
+            av_free(swbuf);
+            return AVERROR_INVALIDDATA;
+        }
+        t = tm2_read_stream(l, swbuf + skip, tm2_stream_order[i], buf_size - skip);
         if(t == -1){
             av_free(swbuf);
             return -1;

From 63a1b481f62e2611aaeac0f1edc3496eebe644ab Mon Sep 17 00:00:00 2001
From: "Ronald S. Bultje" <rsbultje@gmail.com>
Date: Wed, 28 Mar 2012 16:32:27 -0700
Subject: [PATCH 2/6] h264: fix cabac-on-stack after safe cabac reader.

---
 libavcodec/h264_cabac.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c
index 2ee4bc01a8..8b42f040ce 100644
--- a/libavcodec/h264_cabac.c
+++ b/libavcodec/h264_cabac.c
@@ -1630,6 +1630,7 @@ decode_cabac_residual_internal(H264Context *h, DCTELEM *block,
     cc.range     = h->cabac.range;
     cc.low       = h->cabac.low;
     cc.bytestream= h->cabac.bytestream;
+    cc.bytestream_end = h->cabac.bytestream_end;
 #else
 #define CC &h->cabac
 #endif

From 28e8c4d59a7c1a7b2b3b3a2e499b3e67fed1844b Mon Sep 17 00:00:00 2001
From: Mashiat Sarker Shakkhar <mashiat.sarker@gmail.com>
Date: Wed, 28 Mar 2012 11:12:13 -0700
Subject: [PATCH 3/6] WMAL: Remove inaccurate and unnecessary doxy

A call to decode_packet() does not always decode a complete WMA packet.
Moreover, this is not the correct place to document calls that are part
of the public API.

Signed-off-by: Diego Biurrun <diego@biurrun.de>
---
 libavcodec/wmalosslessdec.c | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c
index 3ee6285d79..4eb9ebecea 100644
--- a/libavcodec/wmalosslessdec.c
+++ b/libavcodec/wmalosslessdec.c
@@ -1153,14 +1153,6 @@ static void save_bits(WmallDecodeCtx *s, GetBitContext* gb, int len,
     skip_bits(&s->gb, s->frame_offset);
 }
 
-/**
- * @brief Decode a single WMA packet.
- * @param avctx     codec context
- * @param data      the output buffer
- * @param data_size number of bytes that were written to the output buffer
- * @param avpkt     input packet
- * @return number of bytes that were read from the input buffer
- */
 static int decode_packet(AVCodecContext *avctx, void *data, int *got_frame_ptr,
                          AVPacket* avpkt)
 {

From ddcf67c8a51c67b122a826d8b5819e96d591d813 Mon Sep 17 00:00:00 2001
From: "Ronald S. Bultje" <rsbultje@gmail.com>
Date: Wed, 28 Mar 2012 17:06:00 -0700
Subject: [PATCH 4/6] lzw: prevent buffer overreads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
---
 libavcodec/lzw.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/libavcodec/lzw.c b/libavcodec/lzw.c
index 873b31445b..b674d4e296 100644
--- a/libavcodec/lzw.c
+++ b/libavcodec/lzw.c
@@ -101,9 +101,14 @@ void ff_lzw_decode_tail(LZWState *p)
     struct LZWState *s = (struct LZWState *)p;
 
     if(s->mode == FF_LZW_GIF) {
-        while(s->pbuf < s->ebuf && s->bs>0){
-            s->pbuf += s->bs;
-            s->bs = *s->pbuf++;
+        while (s->bs > 0) {
+            if (s->pbuf + s->bs >= s->ebuf) {
+                s->pbuf = s->ebuf;
+                break;
+            } else {
+                s->pbuf += s->bs;
+                s->bs = *s->pbuf++;
+            }
         }
     }else
         s->pbuf= s->ebuf;

From f704eb612b3333a589d83741e07bfbdf1cffb8cb Mon Sep 17 00:00:00 2001
From: Kostya Shishkov <kostya.shishkov@gmail.com>
Date: Thu, 29 Mar 2012 12:07:35 +0200
Subject: [PATCH 5/6] id3v2: add another mimetype for JPEG image

---
 libavformat/id3v2.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c
index 13e5997259..9488fd856d 100644
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -114,6 +114,7 @@ const char *ff_id3v2_picture_types[21] = {
 const CodecMime ff_id3v2_mime_tags[] = {
     {"image/gif" , CODEC_ID_GIF},
     {"image/jpeg", CODEC_ID_MJPEG},
+    {"image/jpg",  CODEC_ID_MJPEG},
     {"image/png" , CODEC_ID_PNG},
     {"image/tiff", CODEC_ID_TIFF},
     {"",           CODEC_ID_NONE},

From a05c41acd1e2dc0b7f6d82fa5ecbf7b8b5514ebc Mon Sep 17 00:00:00 2001
From: Kostya Shishkov <kostya.shishkov@gmail.com>
Date: Thu, 29 Mar 2012 12:08:07 +0200
Subject: [PATCH 6/6] mp3dec: perform I/S and M/S only when frame mode is joint
 stereo.

Looks like some LAME versions produce dual stereo mode MP3s with
flags for intensity and middle stereo set. In this mode those flags
should be ignored like the reference decoder and derived ones do.
---
 libavcodec/mpegaudiodec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c
index 6ed124b5f1..0ab87e1a96 100644
--- a/libavcodec/mpegaudiodec.c
+++ b/libavcodec/mpegaudiodec.c
@@ -1533,7 +1533,7 @@ static int mp_decode_layer3(MPADecodeContext *s)
             huffman_decode(s, g, exponents, bits_pos + g->part2_3_length);
         } /* ch */
 
-        if (s->nb_channels == 2)
+        if (s->mode == MPA_JSTEREO)
             compute_stereo(s, &s->granules[0][gr], &s->granules[1][gr]);
 
         for (ch = 0; ch < s->nb_channels; ch++) {