Fixes vlc decoding for hypothetical files that would contain such cases.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0dfc01c2bb)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5ff41ffeb4)

Conflicts:

	libavcodec/huffyuv.c
(cherry picked from commit 9bc70fe1ae)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Prevents out of array writes

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f67a0d1152)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 95ab8d33e1)

Conflicts:

	libavcodec/huffyuv.c
(cherry picked from commit 277def59fc)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

* qatar/release/0.5:
  lavfi: avfilter_merge_formats: handle case where inputs are same
  mpegvideo: Don't use ff_mspel_motion() for vc1
  imgconvert: avoid undefined left shift in avcodec_find_best_pix_fmt
  nuv: check RTjpeg header for validity
  vc1dec: add flush function for WMV9 and VC-1 decoders

Merged-by: Michael Niedermayer <michaelni@gmx.at>

This fixes a double-free crash if lists are the same due to the two
merge_ref() calls at the end of the (useless) merging that happens.

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 11b6a82412)

Conflicts:

	libavfilter/formats.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit e5f4e24942)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit b6c5848a1f)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit a4e277312c)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

Using ff_mspel_motion assumes that s (a MpegEncContext
poiinter) really is a Wmv2Context.

This fixes crashes in error resilience on vc1/wmv3 videos.

CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 18f2d5cb9c)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit da0c457663)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 899d95efe1)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit c82ae85a8a)

Conflicts:
	libavcodec/mpegvideo_common.h

Signed-off-by: Anton Khirnov <anton@khirnov.net>

CC: libav-stable@libav.org
(cherry picked from commit 39bb27bf79)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 7a7229b52d)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 8812b5f164)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit fd7426ed89)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

CC: libav-stable@libav.org
(cherry picked from commit 859a579e9b)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 6704522ca9)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit f31170d4e7)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 459feb7cce)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

CC: libav-stable@libav.org
(cherry picked from commit 4dc8c8386e)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 02b7239462)

Conflicts:
	libavcodec/vc1dec.c

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 0173a7966b)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit aa41212767)

Conflicts:
	libavcodec/vc1dec.c

Signed-off-by: Anton Khirnov <anton@khirnov.net>

(cherry picked from commit 7923490712)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Fixes null ptr deref
Fixes Ticket1367

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f23a2418fb)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit fd4c1c0b70)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

* qatar/release/0.5:
  Release notes for 0.5.9
  Update changelog for 0.5.9 release

Conflicts:
	RELEASE

Merged-by: Michael Niedermayer <michaelni@gmx.at>

Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>

* qatar/release/0.5:
  Bump version number for 0.5.9 release.
  png: check bit depth for PAL8/Y400A pixel formats.
  tqi: Pass errors from the MB decoder
  eatqi: move "block" variable into context to ensure sufficient alignment for idct_put for compilers/architectures that can not align stack variables that much. This is also consistent with similar code in eatgq.c
  ea: check chunk_size for validity.
  vfwcap: Include windows.h before vfw.h since the latter requires defines from the former. Patch by kemuri <kemuri9 at gmail dot com>
  mingw32: merge checks for mingw-w64 and mingw32-runtime >= 3.15 into one
  mingw32: properly check if vfw capture is supported by the system headers
  Replace every usage of -lvfw32 with what is particularly necessary for that case: Avisynth -> -lavifil32 VFW Cap -> -lavicap32 Patch by kemuri <kemuri9 at gmail dot com>
  configure: properly check for mingw-w64 through installed headers. mingw-w64 can also target 32-bit code.
  qdm2: clip array indices returned by qdm2_get_vlc().
  kmvc: Check palsize.
  adpcm: ADPCM Electronic Arts has always two channels
  h264: Add check for invalid chroma_format_idc
  dpcm: ignore extra unpaired bytes in stereo streams.

Merged-by: Michael Niedermayer <michaelni@gmx.at>

Wrong bit depth can lead to invalid rowsize values, which crashes the
decoder further down.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit d2205d6543)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit b8d6ba9d50)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 33f93005f1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 4c8c2660bd)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Conflicts:

	libavcodec/pngdec.c

This silences some valgrind warnings.
CC: libav-stable@libav.org

Fixes second half of http://ffmpeg.org/trac/ffmpeg/ticket/794
Bug found by: Oana Stratulat

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f85334f58e)
(cherry picked from commit 90290a5150)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 5872580e65)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 2f2fd8c6d1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c3edce4270)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

idct_put for compilers/architectures that can not align stack variables that much.
This is also consistent with similar code in eatgq.c

Originally committed as revision 18927 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 1eda87ce63)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 273e6af47b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6a86b705e1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit e74bc64dd3)

Conflicts:

	libavformat/electronicarts.c
(cherry picked from commit 38c45adfca)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Originally committed as revision 21411 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 420755dd28)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>

Originally committed as revision 24204 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit e26011d0f4)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>

Remove check for an specific w32api version, checking instead if vfw.h
supports vfw capture. The defines in w32api 3.12 were wrong, so this must be
accounted for in the check.

Originally committed as revision 24203 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit ec1ee802a2)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>

Conflicts:

	configure

Originally committed as revision 21410 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit a1b3c5a377)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>

Conflicts:

	configure

Originally committed as revision 24156 to svn://svn.ffmpeg.org/ffmpeg/trunk
(cherry picked from commit 0a4307d630)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>

Prevents subsequent overreads when these numbers are used as indices
in arrays.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org

Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit 64953f67f9)
Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>

Conflicts:

	libavcodec/qdm2.c

Fixes: CVE-2011-3952

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Based on fix by Michael Niedermayer
(cherry picked from commit 386741f887)
(cherry picked from commit 416849f2e0)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit e7392dc349)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Fixes half of http://ffmpeg.org/trac/ffmpeg/ticket/794
Adresses CVE-2012-0852

(cherry picked from commit bb5b3940b0)

Conflicts:

	libavcodec/adpcm.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit b581580bd1)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit a0f58c3a60)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Fixes a crash when FF_DEBUG_PICT_INFO is used.

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 6ef4063957)

Fixes: CVE-2012-0851

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 4713234518)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c5f7c755cf)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 00d2c43258)

Fixes: CVE-2011-3951

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit ce7aee9b73)
(cherry picked from commit eaeaeb265f)

Conflicts:

	libavcodec/dpcm.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 1ce9c93198)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 41f1f146c9)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Fixes Ticket1068

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 73089eccd3)

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0c97fd336e)

Fixes out of array read

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ec3cd74f2d)

Fixes over reading the header array

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 474e31c904)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

* qatar/release/0.5:
  Bump version number for 0.5.8 release.
  Release notes and changelog for 0.5.7
  vqavideo: return error if image size is not a multiple of block size
  motionpixels: Clip YUV values after applying a gradient.
  mjpegbdec: Fix overflow in SOS.
  atrac3: Fix crash in tonal component decoding.
  dv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936.
  dv: Fix null pointer dereference due to ach=0
  dv: check stype
  nsvdec: Propagate errors
  nsvdec: Be more careful with av_malloc().
  nsvdec: Fix use of uninitialized streams.

Conflicts:
	libavcodec/atrac3.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>

The decoder assumes in various places that the image size
is a multiple of the block size, and there is no obvious
way to support odd sizes.  Bailing out early if the header
specifies a bad size avoids various errors later on.

Fixes CVE-2012-0947.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 58b2e0f0f2)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit d5207e2af8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c71c77e56f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit c90da45d5a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Prevents illegal reads on truncated and malformed input.

CC: libav-stable@libav.org
(cherry picked from commit b5da848fac)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit aaa6a66677)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 50073e2395)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 2134e7f6e8)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Based in part by a fix from Michael Niedermayer <michaelni@gmx.at>

Fixes CVE-2011-3947

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit b57d262412)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 083a8a0037)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6ae95a0b93)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 6ca010f209)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Add a check to avoid writing past the end of the channel_unit.components[]
array.

Bug Found by: cosminamironesei
Fixes CVE-2012-0853
CC: libav-stable@libav.org

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>
(cherry picked from commit c509f4f747)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f43b6e2b1e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit f728ad26f0)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 224025d852)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Found with asan.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 2d1c0dea5f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 00fa6ffe1a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit a8f4db0acd)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

dv: Fix null pointer dereference due to ach=0

Fixes part2 of CVE-2011-3929

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 5a396bb3a6)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 44e182d41e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit b46141b0d1)

Conflicts:

	libavformat/dv.c

dv: check stype

Fixes part1 of CVE-2011-3929
Possibly fixes part of CVE-2011-3936

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 635bcfccd4)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit bb737d381f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 38421f27b3)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Related to CVE-2011-3940.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit c898431ca5)

Conflicts:

	libavformat/nsvdec.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 0100c4b1b0)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 3253dd2b42)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Check results for av_malloc() and fix an overflow in one call.

Related to CVE-2011-3940.

Based in part on work from Michael Niedermayer.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 8fd8a48263)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit be524c186b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 87007519c8)

Conflicts:

	libavformat/nsvdec.c

Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write)

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5c011706bc)

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 6a89b41d97)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 65beb8c117)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 1edf848a81)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

* qatar/release/0.5:
  id3v2: fix skipping extended header in id3v2.4

Merged-by: Michael Niedermayer <michaelni@gmx.at>