Also adds forgotten Changelog entry.

Fixes CVE-2012-2782.

Since we can't know which stride a custom get_buffer() implementation is
going to use we have to allocate this scratch buffers after the linesize
is known. It was pretty safe for 8 bit per pixel pixel formats since we
always allocated memory for up to 16 bits per pixel. It broke hoever
with cmdutis.c's alloc_buffer() and high pixel bit depth since it
allocated larger edges than mpegvideo expected.

Fixes fuzzed sample nasa-8s2.ts_s244342.

Fixes null pointer dereference.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

Compute dist_scale_factor_field only for MBAFF since that is the only
case in which it is used.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Prevents writing beyond array bounds.

Signed-off-by: Janne Grunau <janne-libav@jannau.net>

It is not posible to call get_buffer during frame-mt codec
initialization. Libavformat might pass huge amounts of data as
extradata after parsing broken files. The 'extradata' for the fuzzed
sample sample_varPAR_s5374_r001-02.avi is 2.8M large and contains
multiple slices.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Fixes Ticket2040

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Signed-off-by: Peter Ross <pross@xvid.org>

Signed-off-by: Peter Ross <pross@xvid.org>

Fixes decoding regression

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

This prevents a null pointer dereference

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Fixes Ticket1990

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Signed-off-by: Paul B Mahol <onemda@gmail.com>

Fixes assertion failure

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

RealPlayer does not play rv20 files when sizes are not multiple of 4

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Introduced in d7d6efe42b.

Since a NAL_DPA can start a new frame it has to be handled before
ff_thread_finish_setup is called.

Fixes out of array read

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

RealPlayer does not play correctly rv10 files when sizes are not multiple of 16

"RealVideo Encoder 1.0 supports any size image that is a multiple of sixteen pixels."

Reviewed-by: Nicolas George <nicolas.george@normalesup.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Fixes null pointer dereference

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Fix null pointer dereference

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Fixes Null pointer dereference

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

This code is now executed in h264_set_parameter_from_sps()

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Fixes CVE-2012-2783

CC: libav-stable@libav.org

Returning 0 for failure is misleading.

CC: libav-stable@libav.org

Fixes CVE-2012-2791.

CC: libav-stable@libav.org

Fix out of array read

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Fixes assertion failure

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

This requires to move the avcodec_default_free_buffers() call to
ff_MPV_common_end() since otherwise delayed pictures would get freed
during a size change.

Direct rendering capable decoders call get_buffer() which will set the
frame parameters.

Prevents frames with wrong parameters when a decoder outputs delayed
frames after a resolution or pixel format change.

Fixes a crash in the fuzzed sample sample_varPAR.avi_s26638 with
alternating bit depths.

Interlacing is not supported at all and mismanaged down the normal
codepaths causing possible buffer management issues.

CC: libav-stable@libav.org

Fixes CID747721
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Fixes CID747722
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Fixes CID747723
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Reviewed-by: Thilo Borgmann <thilo.borgmann@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>