Merge remote-tracking branch 'qatar/master'

* qatar/master:
  ttadec: unbreak playback of matroska files
  vorbisdec: avoid invalid memory access
  Fix uninitialized reads on malformed ogg files.
  huffyuv: add padding to classic (v1) huffman tables.
  png: convert to bytestream2 API.
  dca: include libavutil/mathematics.h for possibly missing M_SQRT1_2
  avs: fix infinite loop on end-of-stream.
  tiffdec: Prevent illegal memory access caused by recycled pointers.
  rtpenc: Fix the AVRational used for av_rescale_q_rnd
  wma: fix off-by-one in array bounds check.

Conflicts:
	libavcodec/huffyuv.c
	libavcodec/pngdec.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>

libavcodec/cavsdec.c

@@ -657,6 +657,7 @@ static int cavs_decode_frame(AVCodecContext * avctx,void *data, int *data_size,
         if (!s->low_delay && h->DPB[0].f.data[0]) {
             *data_size = sizeof(AVPicture);
             *picture = h->DPB[0].f;
+            memset(&h->DPB[0], 0, sizeof(h->DPB[0]));
         }
         return 0;
     }

libavcodec/dca.c

@@ -29,6 +29,7 @@
 #include "libavutil/common.h"
 #include "libavutil/intmath.h"
 #include "libavutil/intreadwrite.h"
+#include "libavutil/mathematics.h"
 #include "libavutil/audioconvert.h"
 #include "avcodec.h"
 #include "dsputil.h"

libavcodec/huffyuv.c

@@ -82,14 +82,16 @@ typedef struct HYuvContext{
     DSPContext dsp;
 }HYuvContext;
 
-static const unsigned char classic_shift_luma[] = {
+#define classic_shift_luma_table_size 42
+static const unsigned char classic_shift_luma[classic_shift_luma_table_size + FF_INPUT_BUFFER_PADDING_SIZE] = {
   34,36,35,69,135,232,9,16,10,24,11,23,12,16,13,10,14,8,15,8,
   16,8,17,20,16,10,207,206,205,236,11,8,10,21,9,23,8,8,199,70,
   69,68, 0,
   0,0,0,0,0,0,0,0,
 };
 
-static const unsigned char classic_shift_chroma[] = {
+#define classic_shift_chroma_table_size 59
+static const unsigned char classic_shift_chroma[classic_shift_chroma_table_size + FF_INPUT_BUFFER_PADDING_SIZE] = {
   66,36,37,38,39,40,41,75,76,77,110,239,144,81,82,83,84,85,118,183,
   56,57,88,89,56,89,154,57,58,57,26,141,57,56,58,57,58,57,184,119,
   214,245,116,83,82,49,80,79,78,77,44,75,41,40,39,38,37,36,34, 0,
@@ -396,10 +398,10 @@ static int read_old_huffman_tables(HYuvContext *s){
     GetBitContext gb;
     int i;
 
-    init_get_bits(&gb, classic_shift_luma, (sizeof(classic_shift_luma)-8)*8);
+    init_get_bits(&gb, classic_shift_luma, classic_shift_luma_table_size*8);
     if(read_len_table(s->len[0], &gb)<0)
         return -1;
-    init_get_bits(&gb, classic_shift_chroma, (sizeof(classic_shift_chroma)-8)*8);
+    init_get_bits(&gb, classic_shift_chroma, classic_shift_chroma_table_size*8);
     if(read_len_table(s->len[1], &gb)<0)
         return -1;
 

libavcodec/pngdec.c

@@ -38,9 +38,7 @@
 typedef struct PNGDecContext {
     PNGDSPContext dsp;
 
-    const uint8_t *bytestream;
-    const uint8_t *bytestream_start;
-    const uint8_t *bytestream_end;
+    GetByteContext gb;
     AVFrame picture1, picture2;
     AVFrame *current_picture, *last_picture;
 
@@ -360,12 +358,9 @@ static void png_handle_row(PNGDecContext *s)
 static int png_decode_idat(PNGDecContext *s, int length)
 {
     int ret;
-    s->zstream.avail_in = length;
-    s->zstream.next_in = s->bytestream;
-    s->bytestream += length;
-
-    if(s->bytestream > s->bytestream_end)
-        return -1;
+    s->zstream.avail_in = FFMIN(length, bytestream2_get_bytes_left(&s->gb));
+    s->zstream.next_in = s->gb.buffer;
+    bytestream2_skip(&s->gb, length);
 
     /* decode one line if possible */
     while (s->zstream.avail_in > 0) {
@@ -401,17 +396,15 @@ static int decode_frame(AVCodecContext *avctx,
     avctx->coded_frame= s->current_picture;
     p = s->current_picture;
 
-    s->bytestream_start=
-    s->bytestream= buf;
-    s->bytestream_end= buf + buf_size;
-
     /* check signature */
-    if (memcmp(s->bytestream, ff_pngsig, 8) != 0 &&
-        memcmp(s->bytestream, ff_mngsig, 8) != 0) {
+    if (buf_size < 8 ||
+        memcmp(buf, ff_pngsig, 8) != 0 &&
+        memcmp(buf, ff_mngsig, 8) != 0) {
         av_log(avctx, AV_LOG_ERROR, "Missing png signature\n");
         return -1;
     }
-    s->bytestream+= 8;
+
+    bytestream2_init(&s->gb, buf + 8, buf_size - 8);
     s->y=
     s->state=0;
 //    memset(s, 0, sizeof(PNGDecContext));
@@ -423,14 +416,13 @@ static int decode_frame(AVCodecContext *avctx,
     if (ret != Z_OK)
         return -1;
     for(;;) {
-        int tag32;
-        if (s->bytestream >= s->bytestream_end)
+        if (bytestream2_get_bytes_left(&s->gb) <= 0)
             goto fail;
-        length = bytestream_get_be32(&s->bytestream);
-        if (length > 0x7fffffff || length > s->bytestream_end - s->bytestream)
+
+        length = bytestream2_get_be32(&s->gb);
+        if (length > 0x7fffffff || length > bytestream2_get_bytes_left(&s->gb))
             goto fail;
-        tag32 = bytestream_get_be32(&s->bytestream);
-        tag = av_bswap32(tag32);
+        tag = bytestream2_get_le32(&s->gb);
         if (avctx->debug & FF_DEBUG_STARTCODE)
             av_log(avctx, AV_LOG_DEBUG, "png: tag=%c%c%c%c length=%u\n",
                 (tag & 0xff),
@@ -441,18 +433,18 @@ static int decode_frame(AVCodecContext *avctx,
         case MKTAG('I', 'H', 'D', 'R'):
             if (length != 13)
                 goto fail;
-            s->width = bytestream_get_be32(&s->bytestream);
-            s->height = bytestream_get_be32(&s->bytestream);
+            s->width  = bytestream2_get_be32(&s->gb);
+            s->height = bytestream2_get_be32(&s->gb);
             if(av_image_check_size(s->width, s->height, 0, avctx)){
                 s->width= s->height= 0;
                 goto fail;
             }
-            s->bit_depth = *s->bytestream++;
-            s->color_type = *s->bytestream++;
-            s->compression_type = *s->bytestream++;
-            s->filter_type = *s->bytestream++;
-            s->interlace_type = *s->bytestream++;
-            s->bytestream += 4; /* crc */
+            s->bit_depth        = bytestream2_get_byte(&s->gb);
+            s->color_type       = bytestream2_get_byte(&s->gb);
+            s->compression_type = bytestream2_get_byte(&s->gb);
+            s->filter_type      = bytestream2_get_byte(&s->gb);
+            s->interlace_type   = bytestream2_get_byte(&s->gb);
+            bytestream2_skip(&s->gb, 4); /* crc */
             s->state |= PNG_IHDR;
             if (avctx->debug & FF_DEBUG_PICT_INFO)
                 av_log(avctx, AV_LOG_DEBUG, "width=%d height=%d depth=%d color_type=%d compression_type=%d filter_type=%d interlace_type=%d\n",
@@ -555,7 +547,7 @@ static int decode_frame(AVCodecContext *avctx,
             s->state |= PNG_IDAT;
             if (png_decode_idat(s, length) < 0)
                 goto fail;
-            s->bytestream += 4; /* crc */
+            bytestream2_skip(&s->gb, 4); /* crc */
             break;
         case MKTAG('P', 'L', 'T', 'E'):
             {
@@ -566,16 +558,16 @@ static int decode_frame(AVCodecContext *avctx,
                 /* read the palette */
                 n = length / 3;
                 for(i=0;i<n;i++) {
-                    r = *s->bytestream++;
-                    g = *s->bytestream++;
-                    b = *s->bytestream++;
+                    r = bytestream2_get_byte(&s->gb);
+                    g = bytestream2_get_byte(&s->gb);
+                    b = bytestream2_get_byte(&s->gb);
                     s->palette[i] = (0xff << 24) | (r << 16) | (g << 8) | b;
                 }
                 for(;i<256;i++) {
                     s->palette[i] = (0xff << 24);
                 }
                 s->state |= PNG_PLTE;
-                s->bytestream += 4; /* crc */
+                bytestream2_skip(&s->gb, 4); /* crc */
             }
             break;
         case MKTAG('t', 'R', 'N', 'S'):
@@ -588,21 +580,21 @@ static int decode_frame(AVCodecContext *avctx,
                     !(s->state & PNG_PLTE))
                     goto skip_tag;
                 for(i=0;i<length;i++) {
-                    v = *s->bytestream++;
+                    v = bytestream2_get_byte(&s->gb);
                     s->palette[i] = (s->palette[i] & 0x00ffffff) | (v << 24);
                 }
-                s->bytestream += 4; /* crc */
+                bytestream2_skip(&s->gb, 4); /* crc */
             }
             break;
         case MKTAG('I', 'E', 'N', 'D'):
             if (!(s->state & PNG_ALLIMAGE))
                 goto fail;
-            s->bytestream += 4; /* crc */
+            bytestream2_skip(&s->gb, 4); /* crc */
             goto exit_loop;
         default:
             /* skip tag */
         skip_tag:
-            s->bytestream += length + 4;
+            bytestream2_skip(&s->gb, length + 4);
             break;
         }
     }
@@ -686,7 +678,7 @@ static int decode_frame(AVCodecContext *avctx,
     *picture= *s->current_picture;
     *data_size = sizeof(AVFrame);
 
-    ret = s->bytestream - s->bytestream_start;
+    ret = bytestream2_tell(&s->gb);
  the_end:
     inflateEnd(&s->zstream);
     av_free(crow_buf_base);

libavcodec/tiff.c

@@ -606,6 +606,8 @@ static int decode_frame(AVCodecContext *avctx,
         av_log(avctx, AV_LOG_ERROR, "The answer to life, universe and everything is not correct!\n");
         return -1;
     }
+    // Reset these pointers so we can tell if they were set this frame
+    s->stripsizes = s->stripdata = NULL;
     /* parse image file directory */
     off = tget_long(&buf, le);
     if (off >= UINT_MAX - 14 || end_buf - orig_buf < off + 14) {

libavcodec/tta.c

@@ -218,8 +218,7 @@ static av_cold int tta_decode_init(AVCodecContext * avctx)
     {
         if (avctx->err_recognition & AV_EF_CRCCHECK) {
             s->crc_table = av_crc_get_table(AV_CRC_32_IEEE_LE);
-            if (tta_check_crc(s, avctx->extradata, 18))
-                return AVERROR_INVALIDDATA;
+            tta_check_crc(s, avctx->extradata, 18);
         }
 
         /* signature */

libavcodec/vorbisdec.c

@@ -1593,6 +1593,9 @@ static int vorbis_parse_audio_packet(vorbis_context *vc)
         ch_left -= ch;
     }
 
+    if (ch_left > 0)
+        return AVERROR_INVALIDDATA;
+
 // Inverse coupling
 
     for (i = mapping->coupling_steps - 1; i >= 0; --i) { //warning: i has to be signed

libavformat/oggdec.c

@@ -69,8 +69,7 @@ static int ogg_save(AVFormatContext *s)
 
     for (i = 0; i < ogg->nstreams; i++){
         struct ogg_stream *os = ogg->streams + i;
-        os->buf = av_malloc (os->bufsize);
-        memset (os->buf, 0, os->bufsize);
+        os->buf = av_mallocz (os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
         memcpy (os->buf, ost->streams[i].buf, os->bufpos);
     }
 
@@ -167,7 +166,7 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t serial, int new_avstream)
     os = ogg->streams + idx;
     os->serial = serial;
     os->bufsize = DECODER_BUFFER_SIZE;
-    os->buf = av_malloc(os->bufsize);
+    os->buf = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
     os->header = -1;
 
     if (new_avstream) {
@@ -185,7 +184,7 @@ static int ogg_new_stream(AVFormatContext *s, uint32_t serial, int new_avstream)
 static int ogg_new_buf(struct ogg *ogg, int idx)
 {
     struct ogg_stream *os = ogg->streams + idx;
-    uint8_t *nb = av_malloc(os->bufsize);
+    uint8_t *nb = av_malloc(os->bufsize + FF_INPUT_BUFFER_PADDING_SIZE);
     int size = os->bufpos - os->pstart;
     if(os->buf){
         memcpy(nb, os->buf + os->pstart, size);
@@ -299,7 +298,7 @@ static int ogg_read_page(AVFormatContext *s, int *str)
     }
 
     if (os->bufsize - os->bufpos < size){
-        uint8_t *nb = av_malloc (os->bufsize *= 2);
+        uint8_t *nb = av_malloc ((os->bufsize *= 2) + FF_INPUT_BUFFER_PADDING_SIZE);
         memcpy (nb, os->buf, os->bufpos);
         av_free (os->buf);
         os->buf = nb;
@@ -313,6 +312,7 @@ static int ogg_read_page(AVFormatContext *s, int *str)
     os->granule = gp;
     os->flags = flags;
 
+    memset(os->buf + os->bufpos, 0, FF_INPUT_BUFFER_PADDING_SIZE);
     if (str)
         *str = idx;
 

libavformat/rtpenc.c

@@ -138,7 +138,7 @@ static int rtp_write_header(AVFormatContext *s1)
                 s->max_frames_per_packet =
                         av_rescale_q_rnd(s1->max_delay,
                                          AV_TIME_BASE_Q,
-                                         (AVRational){ frame_size / st->codec->sample_rate },
+                                         (AVRational){ frame_size, st->codec->sample_rate },
                                          AV_ROUND_DOWN);
             }
         }