Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0c97fd336e)

Fixes over reading the header array

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 474e31c904)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Found with asan.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 2d1c0dea5f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 00fa6ffe1a)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit a8f4db0acd)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

dv: Fix null pointer dereference due to ach=0

Fixes part2 of CVE-2011-3929

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 5a396bb3a6)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 44e182d41e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit b46141b0d1)

Conflicts:

	libavformat/dv.c

dv: check stype

Fixes part1 of CVE-2011-3929
Possibly fixes part of CVE-2011-3936

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 635bcfccd4)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit bb737d381f)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 38421f27b3)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Related to CVE-2011-3940.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit c898431ca5)

Conflicts:

	libavformat/nsvdec.c

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 0100c4b1b0)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 3253dd2b42)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Check results for av_malloc() and fix an overflow in one call.

Related to CVE-2011-3940.

Based in part on work from Michael Niedermayer.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
(cherry picked from commit 8fd8a48263)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit be524c186b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 87007519c8)

Conflicts:

	libavformat/nsvdec.c

Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write)

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5c011706bc)

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 6a89b41d97)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 65beb8c117)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 1edf848a81)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

In v2.4, the length includes the length field itself.
(cherry picked from commit ddb4431208)

Conflicts:

	libavformat/id3v2.c

Signed-off-by: Anton Khirnov <anton@khirnov.net>

Fixes bug #190
Chromium bug #100492
related to CVE-2011-3893

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

(cherry-picked from commit faaec4676c)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 1f625431e2)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 90a4a46747)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Signed-off-by: Janne Grunau <janne-libav@jannau.net>
(cherry picked from commit 723229c11f)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d51c7b4cbe)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e3123856c7)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 5d44c061cf)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 1cce7def0a)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 4907f81358)
(cherry picked from commit 24e0a9e451)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7cbe025758)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d0121e8d96)

Between ogg_save() and ogg_restore() calls, the number of streams
could have been reduced.

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 0e7efb9d23)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit a92d0fa5d2)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 273aab99bf)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit e055932f56)

Signed-off-by: Anton Khirnov <anton@khirnov.net>

Whitespace of the patch cleaned up by Aurel
Some of the issues have been reported by Steve Manzuik / Microsoft Vulnerability Research (MSVR)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

(cherry picked from commit 956c901c68)

Further suggestions from Kostya <kostya.shishkov@gmail.com> have been
implemented by Reinhard Tartler <siretart@tauware.de>

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 77d2ef13a8)

NB: MSVR-11-0080 doesn't seem to exist. This issue seems to be known
as MSVR11-011 instead.

Fixes: CVE-2011-3504

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

This fixes invalid reads/writes with this sample:
http://packetstorm.linuxsecurity.com/1103-exploits/vlc105-dos.txt
(cherry picked from commit 8312e3fc90)

Signed-off-by: Janne Grunau <janne-ffmpeg@jannau.net>
(cherry picked from commit 2c3589bfda)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Signed-off-by: Janne Grunau <janne-ffmpeg@jannau.net>
(cherry picked from commit 348b8218f7)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Originally committed as revision 25324 to svn://svn.ffmpeg.org/ffmpeg/branches/0.5

This improves performance on e.g. seekable http.


backport r24280 by mstorsjo


Originally committed as revision 24428 to svn://svn.ffmpeg.org/ffmpeg/branches/0.5

backport  r19270 by rbultje:

Remove any reference to ASFContext.packet_size and replace it with
AVFormatContext.packet_size. See "[PATCH] asf*.c/h: use
AVFormatContext->packet_size instead of own copy" thread on ML.

and r19361 by reimar:

Check for packet_length 0, it is already treated as invalid by the padding check,
but that resulted in a confusing/wrong error message.



Originally committed as revision 22147 to svn://svn.ffmpeg.org/ffmpeg/branches/0.5

r19330 by reimar


Originally committed as revision 22080 to svn://svn.ffmpeg.org/ffmpeg/branches/0.5

First, make s signed, so that comparisons against end - p will not be made as
unsigned, making the check incorrectly pass if p is beyond end.
Also ensure that p will never be > end, so the code is correct also if
buf is not padded.

backported r20014 by reimar


Originally committed as revision 21711 to svn://svn.ffmpeg.org/ffmpeg/branches/0.5

backported r19259 by bcoudurier



Originally committed as revision 21710 to svn://svn.ffmpeg.org/ffmpeg/branches/0.5

backported patch r19792 by bcoudurier




Originally committed as revision 21709 to svn://svn.ffmpeg.org/ffmpeg/branches/0.5

if no header was found the parser was not initialized and thus will
crash when trying to use it.



Originally committed as revision 21708 to svn://svn.ffmpeg.org/ffmpeg/branches/0.5

Fixes issue1240/mpeg1/smclockmpeg1.avi.3.1



Originally committed as revision 21707 to svn://svn.ffmpeg.org/ffmpeg/branches/0.5

Originally committed as revision 21595 to svn://svn.ffmpeg.org/ffmpeg/branches/0.5

Originally committed as revision 17737 to svn://svn.ffmpeg.org/ffmpeg/branches/0.5

Originally committed as revision 17716 to svn://svn.ffmpeg.org/ffmpeg/trunk

Originally committed as revision 17690 to svn://svn.ffmpeg.org/ffmpeg/trunk

Originally committed as revision 17689 to svn://svn.ffmpeg.org/ffmpeg/trunk

Originally committed as revision 17687 to svn://svn.ffmpeg.org/ffmpeg/trunk

Originally committed as revision 17686 to svn://svn.ffmpeg.org/ffmpeg/trunk

Originally committed as revision 17682 to svn://svn.ffmpeg.org/ffmpeg/trunk

Originally committed as revision 17681 to svn://svn.ffmpeg.org/ffmpeg/trunk

Originally committed as revision 17675 to svn://svn.ffmpeg.org/ffmpeg/trunk

the timestamps because delay is not known for the first few frames.

Originally committed as revision 17674 to svn://svn.ffmpeg.org/ffmpeg/trunk

Add missing const qualifiers for metadata_conv in AV{In|Out}putFormat.

Originally committed as revision 17671 to svn://svn.ffmpeg.org/ffmpeg/trunk

Originally committed as revision 17670 to svn://svn.ffmpeg.org/ffmpeg/trunk

Originally committed as revision 17666 to svn://svn.ffmpeg.org/ffmpeg/trunk

Patch by Ivan Schreter, schreter gmx net

Originally committed as revision 17665 to svn://svn.ffmpeg.org/ffmpeg/trunk