Merge remote-tracking branch 'qatar/release/0.7' into release/0.8
authorMichael Niedermayer <michaelni@gmx.at>
Mon, 4 Jun 2012 11:05:25 +0000 (13:05 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Mon, 4 Jun 2012 11:05:25 +0000 (13:05 +0200)
* qatar/release/0.7:
  Update RELEASE file for 0.7.6
  Update changelog for 0.7.6 release
  ea: check chunk_size for validity.
  png: check bit depth for PAL8/Y400A pixel formats.
  x86: fix build with gcc 4.7
  qdm2: clip array indices returned by qdm2_get_vlc().
  kmvc: Check palsize.
  aacsbr: prevent out of bounds memcpy().
  rtpdec_asf: Fix integer underflow that could allow remote code execution
  dpcm: ignore extra unpaired bytes in stereo streams.
  tqi: Pass errors from the MB decoder
  h264: Add check for invalid chroma_format_idc
  adpcm: ADPCM Electronic Arts has always two channels
  h263dec: Disallow width/height changing with frame threads.
  vqavideo: return error if image size is not a multiple of block size
  celp filters: Do not read earlier than the start of the 'out' vector.
  motionpixels: Clip YUV values after applying a gradient.
  h263: more strictly forbid frame size changes with frame-mt.
  h264: additional protection against unsupported size/bitdepth changes.

Conflicts:
Changelog
RELEASE
libavcodec/aacsbr.c
libavcodec/h264_ps.c
libavcodec/pngdec.c
libavformat/rtpdec_asf.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>
15 files changed:
1  2 
libavcodec/aacsbr.c
libavcodec/adpcm.c
libavcodec/celp_filters.c
libavcodec/dpcm.c
libavcodec/eatqi.c
libavcodec/h263dec.c
libavcodec/h264.c
libavcodec/h264_ps.c
libavcodec/kmvc.c
libavcodec/motionpixels.c
libavcodec/pngdec.c
libavcodec/qdm2.c
libavcodec/vqavideo.c
libavformat/electronicarts.c
libavformat/rtpdec_asf.c

Simple merge
Simple merge
Simple merge
Simple merge
Simple merge
Simple merge
Simple merge
@@@ -342,19 -329,14 +342,19 @@@ int ff_h264_decode_seq_parameter_set(H2
  
      if(sps->profile_idc >= 100){ //high profile
          sps->chroma_format_idc= get_ue_golomb_31(&s->gb);
 -        if(sps->chroma_format_idc > 3) {
 -            av_log(h->s.avctx, AV_LOG_ERROR, "chroma_format_idc (%u) out of range\n", sps->chroma_format_idc);
 -            return -1;
 +        if (sps->chroma_format_idc > 3U) {
 +            av_log(h->s.avctx, AV_LOG_ERROR, "chroma_format_idc %d is illegal\n", sps->chroma_format_idc);
 +            goto fail;
-         }
-         if(sps->chroma_format_idc == 3)
+         } else if(sps->chroma_format_idc == 3) {
              sps->residual_color_transform_flag = get_bits1(&s->gb);
+         }
          sps->bit_depth_luma   = get_ue_golomb(&s->gb) + 8;
          sps->bit_depth_chroma = get_ue_golomb(&s->gb) + 8;
 +        if (sps->bit_depth_luma > 12U || sps->bit_depth_chroma > 12U) {
 +            av_log(h->s.avctx, AV_LOG_ERROR, "illegal bit depth value (%d, %d)\n",
 +                   sps->bit_depth_luma, sps->bit_depth_chroma);
 +            goto fail;
 +        }
          sps->transform_bypass = get_bits1(&s->gb);
          decode_scaling_matrices(h, sps, NULL, 1, sps->scaling_matrix4, sps->scaling_matrix8);
      }else{
Simple merge
Simple merge
@@@ -467,9 -485,11 +467,10 @@@ static int decode_frame(AVCodecContext 
                  } else if (s->bit_depth == 16 &&
                             s->color_type == PNG_COLOR_TYPE_RGB) {
                      avctx->pix_fmt = PIX_FMT_RGB48BE;
 -                } else if (s->bit_depth == 1 &&
 -                           s->color_type == PNG_COLOR_TYPE_GRAY) {
 +                } else if (s->bit_depth == 1) {
                      avctx->pix_fmt = PIX_FMT_MONOBLACK;
-                 } else if (s->color_type == PNG_COLOR_TYPE_PALETTE) {
+                 } else if (s->bit_depth == 8 &&
+                            s->color_type == PNG_COLOR_TYPE_PALETTE) {
                      avctx->pix_fmt = PIX_FMT_PAL8;
                  } else if (s->bit_depth == 8 &&
                             s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) {
Simple merge
Simple merge
Simple merge
@@@ -233,14 -233,14 +233,16 @@@ static int asfrtp_parse_packet(AVFormat
  
                  int cur_len = start_off + len_off - off;
                  int prev_len = out_len;
-                 void *newbuf;
+                 void *newmem;
++
                  out_len += cur_len;
-                 if(FFMIN(cur_len, len - off)<0)
++
+                 if (FFMIN(cur_len, len - off) < 0)
                      return -1;
-                 newbuf = av_realloc(asf->buf, out_len);
-                 if(!newbuf)
+                 newmem = av_realloc(asf->buf, out_len);
+                 if (!newmem)
                      return -1;
-                 asf->buf= newbuf;
+                 asf->buf = newmem;
                  memcpy(asf->buf + prev_len, buf + off,
                         FFMIN(cur_len, len - off));
                  avio_skip(pb, cur_len);