From 47be9f5bd50e9c388adca6f8991cde7b4612db56 Mon Sep 17 00:00:00 2001
From: "Ronald S. Bultje" <rsbultje@gmail.com>
Date: Sun, 26 Jun 2011 15:52:00 -0700
Subject: [PATCH 01/73] swscale: don't use planar output functions to write to
 NV12/21.

This prevents a crash when converting to NV12/21 without the bitexact
flags enabled.
(cherry picked from commit 0d994b2f45c08794899057ee7ca54f48218c0a53)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libswscale/x86/swscale_template.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libswscale/x86/swscale_template.c b/libswscale/x86/swscale_template.c
index 8fad257ddf..dc92cddff5 100644
--- a/libswscale/x86/swscale_template.c
+++ b/libswscale/x86/swscale_template.c
@@ -2203,7 +2203,8 @@ static av_cold void RENAME(sws_init_swScale)(SwsContext *c)
     enum PixelFormat srcFormat = c->srcFormat,
                      dstFormat = c->dstFormat;
 
-    if (!is16BPS(dstFormat) && !is9_OR_10BPS(dstFormat)) {
+    if (!is16BPS(dstFormat) && !is9_OR_10BPS(dstFormat) &&
+        dstFormat != PIX_FMT_NV12 && dstFormat != PIX_FMT_NV21) {
         if (!(c->flags & SWS_BITEXACT)) {
             if (c->flags & SWS_ACCURATE_RND) {
                 c->yuv2yuv1 = RENAME(yuv2yuv1_ar    );

From 8ad1f0852b26468cb681ad49be83e2bc25d07934 Mon Sep 17 00:00:00 2001
From: Jason Garrett-Glaser <jason@x264.com>
Date: Mon, 4 Jul 2011 06:05:34 -0700
Subject: [PATCH 02/73] H.264: fix overreads of qscale_table

filter_mb_fast assumed that qscale_table was padded like many of the other tables.
(cherry picked from commit 5029a406334ad0eaf92130e23d596e405a8a5aa0)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/mpegvideo.c | 5 +++--
 libavcodec/mpegvideo.h | 1 +
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c
index 4978d28b49..ceed41f230 100644
--- a/libavcodec/mpegvideo.c
+++ b/libavcodec/mpegvideo.c
@@ -285,9 +285,10 @@ int ff_alloc_picture(MpegEncContext *s, Picture *pic, int shared){
         }
 
         FF_ALLOCZ_OR_GOTO(s->avctx, pic->mbskip_table , mb_array_size * sizeof(uint8_t)+2, fail) //the +2 is for the slice end check
-        FF_ALLOCZ_OR_GOTO(s->avctx, pic->qscale_table , mb_array_size * sizeof(uint8_t)  , fail)
+        FF_ALLOCZ_OR_GOTO(s->avctx, pic->qscale_table_base , (big_mb_num + s->mb_stride) * sizeof(uint8_t)  , fail)
         FF_ALLOCZ_OR_GOTO(s->avctx, pic->mb_type_base , (big_mb_num + s->mb_stride) * sizeof(uint32_t), fail)
         pic->mb_type= pic->mb_type_base + 2*s->mb_stride+1;
+        pic->qscale_table = pic->qscale_table_base + 2*s->mb_stride + 1;
         if(s->out_format == FMT_H264){
             for(i=0; i<2; i++){
                 FF_ALLOCZ_OR_GOTO(s->avctx, pic->motion_val_base[i], 2 * (b4_array_size+4)  * sizeof(int16_t), fail)
@@ -339,7 +340,7 @@ static void free_picture(MpegEncContext *s, Picture *pic){
     av_freep(&pic->mc_mb_var);
     av_freep(&pic->mb_mean);
     av_freep(&pic->mbskip_table);
-    av_freep(&pic->qscale_table);
+    av_freep(&pic->qscale_table_base);
     av_freep(&pic->mb_type_base);
     av_freep(&pic->dct_coeff);
     av_freep(&pic->pan_scan);
diff --git a/libavcodec/mpegvideo.h b/libavcodec/mpegvideo.h
index 6ce7faa235..f37977c941 100644
--- a/libavcodec/mpegvideo.h
+++ b/libavcodec/mpegvideo.h
@@ -88,6 +88,7 @@ typedef struct Picture{
      * halfpel luma planes.
      */
     uint8_t *interpolated[3];
+    int8_t *qscale_table_base;
     int16_t (*motion_val_base[2])[2];
     uint32_t *mb_type_base;
 #define MB_TYPE_INTRA MB_TYPE_INTRA4x4 //default mb_type if there is just one type

From 06318968853ff8c628bbc75fb126483c08f22fd9 Mon Sep 17 00:00:00 2001
From: John Stebbins <stebbins@jetheaddev.com>
Date: Mon, 4 Jul 2011 09:55:19 -0700
Subject: [PATCH 03/73] dca: set AVCodecContext frame_size for DTS audio

Set the frame size when decoding DTS audio.

This has the side effect of fixing the computation of timestamps for DTS-HD in compute_pkt_fields.  Since frame_size is
not currently set, the duration of a frame is being guessed based on the streams bitrate.  But for DTS-HD, the bitrate
currently used is the rate of the DTS core which is much different than the whole DTS-HD stream and leads to a wildly
inaccurate frame duration estimate.

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 49c7006c7e815d4330247624a9e6ba30e288cd02)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/dca.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/dca.c b/libavcodec/dca.c
index a9b2c9b0c9..fad6bce7a9 100644
--- a/libavcodec/dca.c
+++ b/libavcodec/dca.c
@@ -1650,6 +1650,7 @@ static int dca_decode_frame(AVCodecContext * avctx,
     //set AVCodec values with parsed data
     avctx->sample_rate = s->sample_rate;
     avctx->bit_rate = s->bit_rate;
+    avctx->frame_size = s->sample_blocks * 32;
 
     s->profile = FF_PROFILE_DTS;
 

From 776603b650485f4f2d45f383b772ac5a4f03ebfb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= <clement.boesch@smartjog.com>
Date: Mon, 4 Jul 2011 10:19:46 +0200
Subject: [PATCH 04/73] mxfenc: fix ignored drop flag in binary timecode
 representation.

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 4d5e7ab5c48451404038706ef3113c9925a83087)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavformat/mxfenc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mxfenc.c b/libavformat/mxfenc.c
index c448e14b00..387263e1a1 100644
--- a/libavformat/mxfenc.c
+++ b/libavformat/mxfenc.c
@@ -1539,7 +1539,7 @@ static const uint8_t system_metadata_package_set_key[] = { 0x06,0x0E,0x2B,0x34,0
 static uint32_t ff_framenum_to_12m_time_code(unsigned frame, int drop, int fps)
 {
     return (0                                    << 31) | // color frame flag
-           (0                                    << 30) | // drop  frame flag
+           (drop                                 << 30) | // drop  frame flag
            ( ((frame % fps) / 10)                << 28) | // tens  of frames
            ( ((frame % fps) % 10)                << 24) | // units of frames
            (0                                    << 23) | // field phase (NTSC), b0 (PAL)

From 15355f9af2a415bbfbffdace04a4341c8af050e7 Mon Sep 17 00:00:00 2001
From: Mans Rullgard <mans@mansr.com>
Date: Tue, 5 Jul 2011 18:29:35 +0100
Subject: [PATCH 05/73] ARM: workaround for bug in GNU assembler

Some versions of the GNU assembler do not handle 64-bit
immediate operands containing arithmetic.  Writing the
value out in full works correctly.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit fce1e43410bdc032c4cf2b1c66166a9ed99cc8f1)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/arm/fft_fixed_neon.S | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/arm/fft_fixed_neon.S b/libavcodec/arm/fft_fixed_neon.S
index 14884d3736..63d8159359 100644
--- a/libavcodec/arm/fft_fixed_neon.S
+++ b/libavcodec/arm/fft_fixed_neon.S
@@ -56,7 +56,7 @@
         vhsub.s16       \r0, \d0, \d1           @ t3, t4, t8, t7
         vhsub.s16       \r1, \d1, \d0
         vhadd.s16       \d0, \d0, \d1           @ t1, t2, t6, t5
-        vmov.i64        \d1, #0xffff<<32
+        vmov.i64        \d1, #0xffff00000000
         vbit            \r0, \r1, \d1
         vrev64.16       \r1, \r0                @ t7, t8, t4, t3
         vtrn.32         \r0, \r1                @ t3, t4, t7, t8

From e9520db07e1e4a795523726329d448d168b188d5 Mon Sep 17 00:00:00 2001
From: "Ronald S. Bultje" <rsbultje@gmail.com>
Date: Tue, 5 Jul 2011 18:10:48 -0700
Subject: [PATCH 06/73] eval: fix memleak.

(cherry picked from commit fe277b16f0861a327e1f6c00c0dbb8b00806d60d)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavutil/eval.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavutil/eval.c b/libavutil/eval.c
index a3788210e3..8bcba3632d 100644
--- a/libavutil/eval.c
+++ b/libavutil/eval.c
@@ -488,6 +488,7 @@ int av_expr_parse(AVExpr **expr, const char *s,
     if ((ret = parse_expr(&e, &p)) < 0)
         goto end;
     if (*p.s) {
+        av_expr_free(e);
         av_log(&p, AV_LOG_ERROR, "Invalid chars '%s' at the end of expression '%s'\n", p.s, s0);
         ret = AVERROR(EINVAL);
         goto end;

From 6107543d4e4f6bfa7810e3696ab57553f7257b4b Mon Sep 17 00:00:00 2001
From: Alex Converse <alex.converse@gmail.com>
Date: Wed, 29 Jun 2011 13:41:47 -0700
Subject: [PATCH 07/73] adts: Fix PCE copying.

Parse the extension flag bit when reading the MPEG4 AudioSpecificConfig.

This has nothing to do with SBR/PS contradictory to what was noted when it was removed.
(cherry picked from commit 7f01a4192cdf4565eadee457f76e6b5196e35e0b)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavformat/adtsenc.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavformat/adtsenc.c b/libavformat/adtsenc.c
index e858a81d92..75649e24dc 100644
--- a/libavformat/adtsenc.c
+++ b/libavformat/adtsenc.c
@@ -59,6 +59,10 @@ int ff_adts_decode_extradata(AVFormatContext *s, ADTSContext *adts, uint8_t *buf
         av_log(s, AV_LOG_ERROR, "Scalable configurations are not allowed in ADTS\n");
         return -1;
     }
+    if (get_bits(&gb, 1)) {
+        av_log(s, AV_LOG_ERROR, "Extension flag is not allowed in ADTS\n");
+        return -1;
+    }
     if (!adts->channel_conf) {
         init_put_bits(&pb, adts->pce_data, MAX_PCE_SIZE);
 

From 94177614747ebb8a8e1b7e70cfd5229cbac56c04 Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Sun, 11 Sep 2011 12:27:51 +0200
Subject: [PATCH 08/73] Revert "ffmpeg: get rid of useless
 AVInputStream.nb_streams."

This reverts commit 2cf8355f98681bdd726b739008acd5483f82f8d7.
AVInputStream.nb_streams tracks number of streams found at the
beginning, new streams may appear that ffmpeg doesn't know about. Fixes
crash in this case.

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 ffmpeg.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/ffmpeg.c b/ffmpeg.c
index c1db3d5679..76d1cf363c 100644
--- a/ffmpeg.c
+++ b/ffmpeg.c
@@ -329,6 +329,7 @@ typedef struct AVInputFile {
     int eof_reached;      /* true if eof reached */
     int ist_index;        /* index of first stream in ist_table */
     int buffer_size;      /* current total buffer size */
+    int nb_streams;       /* nb streams we are aware of */
 } AVInputFile;
 
 static AVInputStream *input_streams = NULL;
@@ -1983,7 +1984,7 @@ static int transcode(AVFormatContext **output_files,
         int si = stream_maps[i].stream_index;
 
         if (fi < 0 || fi > nb_input_files - 1 ||
-            si < 0 || si > input_files[fi].ctx->nb_streams - 1) {
+            si < 0 || si > input_files[fi].nb_streams - 1) {
             fprintf(stderr,"Could not find input stream #%d.%d\n", fi, si);
             ret = AVERROR(EINVAL);
             goto fail;
@@ -1991,7 +1992,7 @@ static int transcode(AVFormatContext **output_files,
         fi = stream_maps[i].sync_file_index;
         si = stream_maps[i].sync_stream_index;
         if (fi < 0 || fi > nb_input_files - 1 ||
-            si < 0 || si > input_files[fi].ctx->nb_streams - 1) {
+            si < 0 || si > input_files[fi].nb_streams - 1) {
             fprintf(stderr,"Could not find sync stream #%d.%d\n", fi, si);
             ret = AVERROR(EINVAL);
             goto fail;
@@ -2607,7 +2608,7 @@ static int transcode(AVFormatContext **output_files,
         }
         /* the following test is needed in case new streams appear
            dynamically in stream : we ignore them */
-        if (pkt.stream_index >= input_files[file_index].ctx->nb_streams)
+        if (pkt.stream_index >= input_files[file_index].nb_streams)
             goto discard_packet;
         ist_index = input_files[file_index].ist_index + pkt.stream_index;
         ist = &input_streams[ist_index];
@@ -3365,6 +3366,7 @@ static int opt_input_file(const char *opt, const char *filename)
     input_files = grow_array(input_files, sizeof(*input_files), &nb_input_files, nb_input_files + 1);
     input_files[nb_input_files - 1].ctx        = ic;
     input_files[nb_input_files - 1].ist_index  = nb_input_streams - ic->nb_streams;
+    input_files[nb_input_files - 1].nb_streams = ic->nb_streams;
 
     frame_rate    = (AVRational){0, 0};
     frame_pix_fmt = PIX_FMT_NONE;

From c75ba07f6eb83439bc44e5504152f8ca03097bec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tomas=20H=C3=A4rdin?= <tomas.hardin@codemill.se>
Date: Thu, 23 Jun 2011 15:59:33 +0200
Subject: [PATCH 09/73] gxf: Fix 25 fps DV material in GXF being misdetected as
 50 fps

Set DV packet durations using fields_per_frame.
This requires turning gxf_stream_info into the demuxer's context for access to the value in gxf_packet().
Since MPEG-2 seems to work fine this done only for DV.

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 99fecc64b064a013559d3d61f7d9790e3c95c80e)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavformat/gxf.c | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/libavformat/gxf.c b/libavformat/gxf.c
index 74d925fe60..d77fd18b37 100644
--- a/libavformat/gxf.c
+++ b/libavformat/gxf.c
@@ -264,7 +264,7 @@ static int gxf_header(AVFormatContext *s, AVFormatParameters *ap) {
     int map_len;
     int len;
     AVRational main_timebase = {0, 0};
-    struct gxf_stream_info si;
+    struct gxf_stream_info *si = s->priv_data;
     int i;
     if (!parse_packet_header(pb, &pkt_type, &map_len) || pkt_type != PKT_MAP) {
         av_log(s, AV_LOG_ERROR, "map packet not found\n");
@@ -282,7 +282,7 @@ static int gxf_header(AVFormatContext *s, AVFormatParameters *ap) {
         return 0;
     }
     map_len -= len;
-    gxf_material_tags(pb, &len, &si);
+    gxf_material_tags(pb, &len, si);
     avio_skip(pb, len);
     map_len -= 2;
     len = avio_rb16(pb); // length of track description
@@ -300,7 +300,7 @@ static int gxf_header(AVFormatContext *s, AVFormatParameters *ap) {
         track_id = avio_r8(pb);
         track_len = avio_rb16(pb);
         len -= track_len;
-        gxf_track_tags(pb, &track_len, &si);
+        gxf_track_tags(pb, &track_len, si);
         avio_skip(pb, track_len);
         if (!(track_type & 0x80)) {
            av_log(s, AV_LOG_ERROR, "invalid track type %x\n", track_type);
@@ -316,12 +316,12 @@ static int gxf_header(AVFormatContext *s, AVFormatParameters *ap) {
         if (idx < 0) continue;
         st = s->streams[idx];
         if (!main_timebase.num || !main_timebase.den) {
-            main_timebase.num = si.frames_per_second.den;
-            main_timebase.den = si.frames_per_second.num * 2;
+            main_timebase.num = si->frames_per_second.den;
+            main_timebase.den = si->frames_per_second.num * 2;
         }
-        st->start_time = si.first_field;
-        if (si.first_field != AV_NOPTS_VALUE && si.last_field != AV_NOPTS_VALUE)
-            st->duration = si.last_field - si.first_field;
+        st->start_time = si->first_field;
+        if (si->first_field != AV_NOPTS_VALUE && si->last_field != AV_NOPTS_VALUE)
+            st->duration = si->last_field - si->first_field;
     }
     if (len < 0)
         av_log(s, AV_LOG_ERROR, "invalid track description length specified\n");
@@ -422,6 +422,8 @@ static int gxf_packet(AVFormatContext *s, AVPacket *pkt) {
     AVIOContext *pb = s->pb;
     GXFPktType pkt_type;
     int pkt_len;
+    struct gxf_stream_info *si = s->priv_data;
+
     while (!pb->eof_reached) {
         AVStream *st;
         int track_type, track_id, ret;
@@ -473,6 +475,11 @@ static int gxf_packet(AVFormatContext *s, AVPacket *pkt) {
             avio_skip(pb, skip);
         pkt->stream_index = stream_index;
         pkt->dts = field_nr;
+
+        //set duration manually for DV or else lavf misdetects the frame rate
+        if (st->codec->codec_id == CODEC_ID_DVVIDEO)
+            pkt->duration = si->fields_per_frame;
+
         return ret;
     }
     return AVERROR(EIO);
@@ -518,7 +525,7 @@ static int64_t gxf_read_timestamp(AVFormatContext *s, int stream_index,
 AVInputFormat ff_gxf_demuxer = {
     "gxf",
     NULL_IF_CONFIG_SMALL("GXF format"),
-    0,
+    sizeof(struct gxf_stream_info),
     gxf_probe,
     gxf_header,
     gxf_packet,

From 6ed533f56137f678ff8507012de14d277aded9cc Mon Sep 17 00:00:00 2001
From: Justin Ruggles <justin.ruggles@gmail.com>
Date: Wed, 22 Jun 2011 15:33:56 -0400
Subject: [PATCH 10/73] alsa: fallback to buffer_size/4 for period_size.

buffer_size/4 is the value used by aplay. This fixes output to null
devices, e.g. writing ALSA output to a file.
(cherry picked from commit 8bfd7f6a475225a0595bf657f8b99a8fffb461e4)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavdevice/alsa-audio-common.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavdevice/alsa-audio-common.c b/libavdevice/alsa-audio-common.c
index baa6ac79ca..4c7c881300 100644
--- a/libavdevice/alsa-audio-common.c
+++ b/libavdevice/alsa-audio-common.c
@@ -146,6 +146,8 @@ av_cold int ff_alsa_open(AVFormatContext *ctx, snd_pcm_stream_t mode,
     }
 
     snd_pcm_hw_params_get_period_size_min(hw_params, &period_size, NULL);
+    if (!period_size)
+        period_size = buffer_size / 4;
     res = snd_pcm_hw_params_set_period_size_near(h, hw_params, &period_size, NULL);
     if (res < 0) {
         av_log(ctx, AV_LOG_ERROR, "cannot set ALSA period size (%s)\n",

From 0c039db4d8aa0928d9b7466c635247e6439df015 Mon Sep 17 00:00:00 2001
From: Justin Ruggles <justin.ruggles@gmail.com>
Date: Wed, 22 Jun 2011 16:38:20 -0400
Subject: [PATCH 11/73] alsa: limit buffer_size to 32768 frames.

In testing, the file output plugin gave a max buffer size of about 20 million
frames, which is way more than what is really needed and causes a memory
allocation error on my system.
(cherry picked from commit e35c674d13a7f180412cfe058530a2e7f1d49a90)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavdevice/alsa-audio-common.c | 1 +
 libavdevice/alsa-audio.h        | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/libavdevice/alsa-audio-common.c b/libavdevice/alsa-audio-common.c
index 4c7c881300..825fcb1dbd 100644
--- a/libavdevice/alsa-audio-common.c
+++ b/libavdevice/alsa-audio-common.c
@@ -137,6 +137,7 @@ av_cold int ff_alsa_open(AVFormatContext *ctx, snd_pcm_stream_t mode,
     }
 
     snd_pcm_hw_params_get_buffer_size_max(hw_params, &buffer_size);
+    buffer_size = FFMIN(buffer_size, ALSA_BUFFER_SIZE_MAX);
     /* TODO: maybe use ctx->max_picture_buffer somehow */
     res = snd_pcm_hw_params_set_buffer_size_near(h, hw_params, &buffer_size);
     if (res < 0) {
diff --git a/libavdevice/alsa-audio.h b/libavdevice/alsa-audio.h
index 32c07426ef..c8c6ea4aff 100644
--- a/libavdevice/alsa-audio.h
+++ b/libavdevice/alsa-audio.h
@@ -40,6 +40,8 @@
         other formats */
 #define DEFAULT_CODEC_ID AV_NE(CODEC_ID_PCM_S16BE, CODEC_ID_PCM_S16LE)
 
+#define ALSA_BUFFER_SIZE_MAX 32768
+
 typedef struct {
     AVClass *class;
     snd_pcm_t *h;

From b772a757dd5e58ce94b56daee0deba78ab2e205e Mon Sep 17 00:00:00 2001
From: Jindrich Makovicka <makovick@gmail.com>
Date: Thu, 30 Jun 2011 09:03:15 +0000
Subject: [PATCH 12/73] mpegts: fix Continuity Counter error detection

According to MPEG-TS specs, the continuity_counter shall not be
incremented when the adaptation_field_control of the packet
equals '00' or '10'.

Signed-off-by: Jindrich Makovicka <jindrich.makovicka@nangu.tv>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 8923cfa328e8eb565aebcfe8672b276fd1c19bf7)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavformat/mpegts.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c
index e9b8b3513a..608cbe710f 100644
--- a/libavformat/mpegts.c
+++ b/libavformat/mpegts.c
@@ -1247,7 +1247,7 @@ static int handle_packet(MpegTSContext *ts, const uint8_t *packet)
 {
     AVFormatContext *s = ts->stream;
     MpegTSFilter *tss;
-    int len, pid, cc, cc_ok, afc, is_start;
+    int len, pid, cc, expected_cc, cc_ok, afc, is_start;
     const uint8_t *p, *p_end;
     int64_t pos;
 
@@ -1265,7 +1265,8 @@ static int handle_packet(MpegTSContext *ts, const uint8_t *packet)
 
     /* continuity check (currently not used) */
     cc = (packet[3] & 0xf);
-    cc_ok = (tss->last_cc < 0) || ((((tss->last_cc + 1) & 0x0f) == cc));
+    expected_cc = (packet[3] & 0x10) ? (tss->last_cc + 1) & 0x0f : tss->last_cc;
+    cc_ok = (tss->last_cc < 0) || (expected_cc == cc);
     tss->last_cc = cc;
 
     /* skip adaptation field */

From f8521560fa95c83bfbd95bb1b5adc8ded62a5104 Mon Sep 17 00:00:00 2001
From: Oskar Arvidsson <oskar@irock.se>
Date: Tue, 12 Jul 2011 10:52:19 +0200
Subject: [PATCH 13/73] pix_fmt: Fix number of bits per component in yuv444p9be

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit e59d6b4d7255d6d3dc89580f534e18af1433fe25)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavutil/pixdesc.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavutil/pixdesc.c b/libavutil/pixdesc.c
index efc7c7ea0e..c70a41347b 100644
--- a/libavutil/pixdesc.c
+++ b/libavutil/pixdesc.c
@@ -918,9 +918,9 @@ const AVPixFmtDescriptor av_pix_fmt_descriptors[PIX_FMT_NB] = {
         .log2_chroma_w= 0,
         .log2_chroma_h= 0,
         .comp = {
-            {0,1,1,0,9},        /* Y */
-            {1,1,1,0,9},        /* U */
-            {2,1,1,0,9},        /* V */
+            {0,1,1,0,8},        /* Y */
+            {1,1,1,0,8},        /* U */
+            {2,1,1,0,8},        /* V */
         },
         .flags = PIX_FMT_BE,
     },

From 9c2a02466053dd4762d474d89d9be9a957eaaefe Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Tue, 12 Jul 2011 22:42:18 +0200
Subject: [PATCH 14/73] lavf: fix segfault in av_open_input_stream()

ic is NULL in case of error.
(cherry picked from commit 13551ad1e336573e3732fdeaf25607c47244bb80)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavformat/utils.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/utils.c b/libavformat/utils.c
index 0e6b00195b..2cb096e373 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -465,7 +465,8 @@ int av_open_input_stream(AVFormatContext **ic_ptr,
     else
         ic->pb = pb;
 
-    err = avformat_open_input(&ic, filename, fmt, &opts);
+    if ((err = avformat_open_input(&ic, filename, fmt, &opts)) < 0)
+        goto fail;
     ic->pb = ic->pb ? ic->pb : pb; // don't leak custom pb if it wasn't set above
 
     *ic_ptr = ic;

From f7831bb104c48118b38d4ba86a7d594fe4fa0f2c Mon Sep 17 00:00:00 2001
From: Mans Rullgard <mans@mansr.com>
Date: Fri, 15 Jul 2011 22:38:10 +0100
Subject: [PATCH 15/73] aacps: skip some memcpy() if src and dst would be equal

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit e5902d60ce8f7cf10b6e87a57eec536b316261a3)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/aacps.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c
index 724c13256a..3f1424bcf2 100644
--- a/libavcodec/aacps.c
+++ b/libavcodec/aacps.c
@@ -813,14 +813,17 @@ static void stereo_processing(PSContext *ps, float (*l)[32][2], float (*r)[32][2
     const float (*H_LUT)[8][4] = (PS_BASELINE || ps->icc_mode < 3) ? HA : HB;
 
     //Remapping
-    memcpy(H11[0][0], H11[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H11[0][0][0]));
-    memcpy(H11[1][0], H11[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H11[1][0][0]));
-    memcpy(H12[0][0], H12[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H12[0][0][0]));
-    memcpy(H12[1][0], H12[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H12[1][0][0]));
-    memcpy(H21[0][0], H21[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H21[0][0][0]));
-    memcpy(H21[1][0], H21[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H21[1][0][0]));
-    memcpy(H22[0][0], H22[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H22[0][0][0]));
-    memcpy(H22[1][0], H22[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H22[1][0][0]));
+    if (ps->num_env_old) {
+        memcpy(H11[0][0], H11[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H11[0][0][0]));
+        memcpy(H11[1][0], H11[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H11[1][0][0]));
+        memcpy(H12[0][0], H12[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H12[0][0][0]));
+        memcpy(H12[1][0], H12[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H12[1][0][0]));
+        memcpy(H21[0][0], H21[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H21[0][0][0]));
+        memcpy(H21[1][0], H21[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H21[1][0][0]));
+        memcpy(H22[0][0], H22[0][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H22[0][0][0]));
+        memcpy(H22[1][0], H22[1][ps->num_env_old], PS_MAX_NR_IIDICC*sizeof(H22[1][0][0]));
+    }
+
     if (is34) {
         remap34(&iid_mapped, ps->iid_par, ps->nr_iid_par, ps->num_env, 1);
         remap34(&icc_mapped, ps->icc_par, ps->nr_icc_par, ps->num_env, 1);

From 3ed12b97bed7f0cd430c4304f166e549b4dad634 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafa=C3=ABl=20Carr=C3=A9?= <rafael.carre@gmail.com>
Date: Sat, 16 Jul 2011 11:41:08 -0400
Subject: [PATCH 16/73] Do not decode RV30 files if the extradata is too small

Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit 289c60001fb0a9a1d7a97c876d8a42b84c6874ac)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/rv30.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/rv30.c b/libavcodec/rv30.c
index 62177dda78..2b423cc0d2 100644
--- a/libavcodec/rv30.c
+++ b/libavcodec/rv30.c
@@ -256,6 +256,7 @@ static av_cold int rv30_decode_init(AVCodecContext *avctx)
     if(avctx->extradata_size - 8 < (r->rpr - 1) * 2){
         av_log(avctx, AV_LOG_ERROR, "Insufficient extradata - need at least %d bytes, got %d\n",
                6 + r->rpr * 2, avctx->extradata_size);
+        return EINVAL;
     }
     r->parse_slice_header = rv30_parse_slice_header;
     r->decode_intra_types = rv30_decode_intra_types;

From 99ec59adbdaced97d892da73e5c881ac122bd27b Mon Sep 17 00:00:00 2001
From: Mans Rullgard <mans@mansr.com>
Date: Wed, 20 Jul 2011 09:55:48 +0100
Subject: [PATCH 17/73] Fix incorrect max_lowres values

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit e23a05ab0605693aa715b95120bc0132079ded06)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/cdgraphics.c | 1 -
 libavcodec/kgv1dec.c    | 1 -
 libavcodec/pngdec.c     | 1 -
 libavcodec/pnmdec.c     | 5 -----
 libavcodec/sp5xdec.c    | 2 +-
 5 files changed, 1 insertion(+), 9 deletions(-)

diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c
index 2f8e98ca3d..bcfb6e9be5 100644
--- a/libavcodec/cdgraphics.c
+++ b/libavcodec/cdgraphics.c
@@ -377,6 +377,5 @@ AVCodec ff_cdgraphics_decoder = {
     cdg_decode_end,
     cdg_decode_frame,
     CODEC_CAP_DR1,
-    .max_lowres = 5,
     .long_name = NULL_IF_CONFIG_SMALL("CD Graphics video"),
 };
diff --git a/libavcodec/kgv1dec.c b/libavcodec/kgv1dec.c
index 57684340af..88c54bf817 100644
--- a/libavcodec/kgv1dec.c
+++ b/libavcodec/kgv1dec.c
@@ -173,6 +173,5 @@ AVCodec ff_kgv1_decoder = {
     NULL,
     decode_end,
     decode_frame,
-    .max_lowres = 1,
     .long_name = NULL_IF_CONFIG_SMALL("Kega Game Video"),
 };
diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 7477f6746b..1268c9e781 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -667,6 +667,5 @@ AVCodec ff_png_decoder = {
     decode_frame,
     CODEC_CAP_DR1 /*| CODEC_CAP_DRAW_HORIZ_BAND*/,
     NULL,
-    .max_lowres = 5,
     .long_name = NULL_IF_CONFIG_SMALL("PNG image"),
 };
diff --git a/libavcodec/pnmdec.c b/libavcodec/pnmdec.c
index b9f20c0569..988ea0c267 100644
--- a/libavcodec/pnmdec.c
+++ b/libavcodec/pnmdec.c
@@ -199,7 +199,6 @@ AVCodec ff_pgm_decoder = {
     pnm_decode_frame,
     CODEC_CAP_DR1,
     .pix_fmts  = (const enum PixelFormat[]){PIX_FMT_GRAY8, PIX_FMT_GRAY16BE, PIX_FMT_NONE},
-    .max_lowres = 5,
     .long_name = NULL_IF_CONFIG_SMALL("PGM (Portable GrayMap) image"),
 };
 #endif
@@ -216,7 +215,6 @@ AVCodec ff_pgmyuv_decoder = {
     pnm_decode_frame,
     CODEC_CAP_DR1,
     .pix_fmts  = (const enum PixelFormat[]){PIX_FMT_YUV420P, PIX_FMT_NONE},
-    .max_lowres = 5,
     .long_name = NULL_IF_CONFIG_SMALL("PGMYUV (Portable GrayMap YUV) image"),
 };
 #endif
@@ -233,7 +231,6 @@ AVCodec ff_ppm_decoder = {
     pnm_decode_frame,
     CODEC_CAP_DR1,
     .pix_fmts  = (const enum PixelFormat[]){PIX_FMT_RGB24, PIX_FMT_RGB48BE, PIX_FMT_NONE},
-    .max_lowres = 5,
     .long_name = NULL_IF_CONFIG_SMALL("PPM (Portable PixelMap) image"),
 };
 #endif
@@ -250,7 +247,6 @@ AVCodec ff_pbm_decoder = {
     pnm_decode_frame,
     CODEC_CAP_DR1,
     .pix_fmts  = (const enum PixelFormat[]){PIX_FMT_MONOWHITE, PIX_FMT_NONE},
-    .max_lowres = 5,
     .long_name = NULL_IF_CONFIG_SMALL("PBM (Portable BitMap) image"),
 };
 #endif
@@ -267,7 +263,6 @@ AVCodec ff_pam_decoder = {
     pnm_decode_frame,
     CODEC_CAP_DR1,
     .pix_fmts  = (const enum PixelFormat[]){PIX_FMT_RGB24, PIX_FMT_RGB32, PIX_FMT_GRAY8, PIX_FMT_MONOWHITE, PIX_FMT_NONE},
-    .max_lowres = 5,
     .long_name = NULL_IF_CONFIG_SMALL("PAM (Portable AnyMap) image"),
 };
 #endif
diff --git a/libavcodec/sp5xdec.c b/libavcodec/sp5xdec.c
index 6726c18ca9..ae25733530 100644
--- a/libavcodec/sp5xdec.c
+++ b/libavcodec/sp5xdec.c
@@ -104,7 +104,7 @@ AVCodec ff_sp5x_decoder = {
     sp5x_decode_frame,
     CODEC_CAP_DR1,
     NULL,
-    .max_lowres = 5,
+    .max_lowres = 3,
     .long_name = NULL_IF_CONFIG_SMALL("Sunplus JPEG (SP5X)"),
 };
 

From 44c718cf7116203e4e86ff2b92d7dcfd9c77e4b3 Mon Sep 17 00:00:00 2001
From: Diego Biurrun <diego@biurrun.de>
Date: Thu, 21 Jul 2011 14:25:01 +0200
Subject: [PATCH 18/73] rv30: return AVERROR(EINVAL) instead of EINVAL

On some platforms EINVAL could be positive, ensure we return negative values.
(cherry picked from commit e5985185d2eda942333ebbb72bd7d043ffe40be7)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/rv30.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/rv30.c b/libavcodec/rv30.c
index 2b423cc0d2..b7f43a4bd0 100644
--- a/libavcodec/rv30.c
+++ b/libavcodec/rv30.c
@@ -256,7 +256,7 @@ static av_cold int rv30_decode_init(AVCodecContext *avctx)
     if(avctx->extradata_size - 8 < (r->rpr - 1) * 2){
         av_log(avctx, AV_LOG_ERROR, "Insufficient extradata - need at least %d bytes, got %d\n",
                6 + r->rpr * 2, avctx->extradata_size);
-        return EINVAL;
+        return AVERROR(EINVAL);
     }
     r->parse_slice_header = rv30_parse_slice_header;
     r->decode_intra_types = rv30_decode_intra_types;

From b3b97559bb47fceaaa7fc5aa25a351c9de7f60d6 Mon Sep 17 00:00:00 2001
From: "Ronald S. Bultje" <rsbultje@gmail.com>
Date: Tue, 26 Jul 2011 10:58:29 -0700
Subject: [PATCH 19/73] vp3/theora: flush after seek.

(cherry picked from commit 8dcf5184307f072d55fb29373be05ef8b0fd02df)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/vp3.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index c3dff7f89f..c117a64084 100644
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -2321,6 +2321,26 @@ static av_cold int theora_decode_init(AVCodecContext *avctx)
     return vp3_decode_init(avctx);
 }
 
+static void vp3_decode_flush(AVCodecContext *avctx)
+{
+    Vp3DecodeContext *s = avctx->priv_data;
+
+    if (s->golden_frame.data[0]) {
+        if (s->golden_frame.data[0] == s->last_frame.data[0])
+            memset(&s->last_frame, 0, sizeof(AVFrame));
+        if (s->current_frame.data[0] == s->golden_frame.data[0])
+            memset(&s->current_frame, 0, sizeof(AVFrame));
+        ff_thread_release_buffer(avctx, &s->golden_frame);
+    }
+    if (s->last_frame.data[0]) {
+        if (s->current_frame.data[0] == s->last_frame.data[0])
+            memset(&s->current_frame, 0, sizeof(AVFrame));
+        ff_thread_release_buffer(avctx, &s->last_frame);
+    }
+    if (s->current_frame.data[0])
+        ff_thread_release_buffer(avctx, &s->current_frame);
+}
+
 AVCodec ff_theora_decoder = {
     "theora",
     AVMEDIA_TYPE_VIDEO,
@@ -2332,6 +2352,7 @@ AVCodec ff_theora_decoder = {
     vp3_decode_frame,
     CODEC_CAP_DR1 | CODEC_CAP_DRAW_HORIZ_BAND | CODEC_CAP_FRAME_THREADS,
     NULL,
+    .flush = vp3_decode_flush,
     .long_name = NULL_IF_CONFIG_SMALL("Theora"),
     .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context)
 };
@@ -2348,6 +2369,7 @@ AVCodec ff_vp3_decoder = {
     vp3_decode_frame,
     CODEC_CAP_DR1 | CODEC_CAP_DRAW_HORIZ_BAND | CODEC_CAP_FRAME_THREADS,
     NULL,
+    .flush = vp3_decode_flush,
     .long_name = NULL_IF_CONFIG_SMALL("On2 VP3"),
     .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context)
 };

From c613a891433df18f5188efbab504942be8c809c0 Mon Sep 17 00:00:00 2001
From: Alex Converse <alex.converse@gmail.com>
Date: Fri, 29 Jul 2011 15:27:36 -0700
Subject: [PATCH 20/73] mxfdec: Include FF_INPUT_BUFFER_PADDING_SIZE when
 allocating extradata.

This prevents out of bounds reads when extradata is being decoded.
(cherry picked from commit 1f6f58d5855288492fc2640a9f1035c01c75d356)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavformat/mxfdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/mxfdec.c b/libavformat/mxfdec.c
index 82daa2a002..fcee7a7b83 100644
--- a/libavformat/mxfdec.c
+++ b/libavformat/mxfdec.c
@@ -599,7 +599,7 @@ static int mxf_read_generic_descriptor(void *arg, AVIOContext *pb, int tag, int
     default:
         /* Private uid used by SONY C0023S01.mxf */
         if (IS_KLV_KEY(uid, mxf_sony_mpeg4_extradata)) {
-            descriptor->extradata = av_malloc(size);
+            descriptor->extradata = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE);
             if (!descriptor->extradata)
                 return -1;
             descriptor->extradata_size = size;

From 96a453eb85a2d565681842a07ab759a52f1353fd Mon Sep 17 00:00:00 2001
From: Alex Converse <alex.converse@gmail.com>
Date: Fri, 29 Jul 2011 15:49:11 -0700
Subject: [PATCH 21/73] aac: Remove some suspicious illegal memcpy()s from LTP.

(cherry picked from commit a6c49f18abacb9bf52d4d808a2a56561a5b5445c)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/aacdec.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c
index 69aacb86d6..f94b109de5 100644
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -1753,12 +1753,10 @@ static void windowing_and_mdct_ltp(AACContext *ac, float *out,
     } else {
         memset(in, 0, 448 * sizeof(float));
         ac->dsp.vector_fmul(in + 448, in + 448, swindow_prev, 128);
-        memcpy(in + 576, in + 576, 448 * sizeof(float));
     }
     if (ics->window_sequence[0] != LONG_START_SEQUENCE) {
         ac->dsp.vector_fmul_reverse(in + 1024, in + 1024, lwindow, 1024);
     } else {
-        memcpy(in + 1024, in + 1024, 448 * sizeof(float));
         ac->dsp.vector_fmul_reverse(in + 1024 + 448, in + 1024 + 448, swindow, 128);
         memset(in + 1024 + 576, 0, 448 * sizeof(float));
     }

From 67163d751ba1ffa89e61eff224158828d5f673a4 Mon Sep 17 00:00:00 2001
From: Baptiste Coudurier <baptiste.coudurier@gmail.com>
Date: Sat, 29 Jan 2011 17:05:42 -0800
Subject: [PATCH 22/73] libx264: do not set pic quality if no frame is output

Avoids uninitialized reads.

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 5caa2de19ece830e32c95731bc92a423d55cff0c)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/libx264.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c
index e5fac00469..74ee1d45e0 100644
--- a/libavcodec/libx264.c
+++ b/libavcodec/libx264.c
@@ -138,7 +138,8 @@ static int X264_frame(AVCodecContext *ctx, uint8_t *buf,
     }
 
     x4->out_pic.key_frame = pic_out.b_keyframe;
-    x4->out_pic.quality   = (pic_out.i_qpplus1 - 1) * FF_QP2LAMBDA;
+    if (bufsize)
+        x4->out_pic.quality = (pic_out.i_qpplus1 - 1) * FF_QP2LAMBDA;
 
     return bufsize;
 }

From 042934e78676a7854038be560e8f8a7d05552b84 Mon Sep 17 00:00:00 2001
From: Justin Ruggles <justin.ruggles@gmail.com>
Date: Wed, 10 Aug 2011 14:07:35 -0400
Subject: [PATCH 23/73] Remove incorrect info in documentation of
 AVCodecContext.bits_per_raw_sample.

bits_per_raw_sample is used in video as well, where sample_fmt is not used.
(cherry picked from commit d271d5b2152cafe540f3ab71d3be6ce8636d2fd6)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/avcodec.h | 1 -
 1 file changed, 1 deletion(-)

diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h
index 9a3076ae27..0269892028 100644
--- a/libavcodec/avcodec.h
+++ b/libavcodec/avcodec.h
@@ -2559,7 +2559,6 @@ typedef struct AVCodecContext {
 
     /**
      * Bits per sample/pixel of internal libavcodec pixel/sample format.
-     * This field is applicable only when sample_fmt is AV_SAMPLE_FMT_S32.
      * - encoding: set by user.
      * - decoding: set by libavcodec.
      */

From 59a22afa0b50b9037133a7bc26bdc5023e7e1df9 Mon Sep 17 00:00:00 2001
From: Dustin Brody <libav@parsoma.net>
Date: Thu, 11 Aug 2011 08:57:58 -0400
Subject: [PATCH 24/73] h264: notice memory allocation failure

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit bac3ab13ea6a9dd8853e79ef3eacf51d234c8774)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/h264.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index 2c000a3420..99be210d13 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -1165,7 +1165,10 @@ static int decode_update_thread_context(AVCodecContext *dst, const AVCodecContex
         memcpy(&h->s + 1, &h1->s + 1, sizeof(H264Context) - sizeof(MpegEncContext)); //copy all fields after MpegEnc
         memset(h->sps_buffers, 0, sizeof(h->sps_buffers));
         memset(h->pps_buffers, 0, sizeof(h->pps_buffers));
-        ff_h264_alloc_tables(h);
+        if (ff_h264_alloc_tables(h) < 0) {
+            av_log(dst, AV_LOG_ERROR, "Could not allocate memory for h264\n");
+            return AVERROR(ENOMEM);
+        }
         context_init(h);
 
         for(i=0; i<2; i++){
@@ -2635,7 +2638,10 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
         h->prev_interlaced_frame = 1;
 
         init_scan_tables(h);
-        ff_h264_alloc_tables(h);
+        if (ff_h264_alloc_tables(h) < 0) {
+            av_log(h->s.avctx, AV_LOG_ERROR, "Could not allocate memory for h264\n");
+            return AVERROR(ENOMEM);
+        }
 
         if (!HAVE_THREADS || !(s->avctx->active_thread_type&FF_THREAD_SLICE)) {
             if (context_init(h) < 0) {

From 28321b777f76528b061646a3555d08b94ff667bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= <Reimar.Doeffinger@gmx.de>
Date: Sat, 13 Aug 2011 11:58:18 +0200
Subject: [PATCH 25/73] VC-1: fix reading of custom PAR.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Custom PAR num/denum are in 1-256 range.

Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit 0e8696551414d4ea0aab2559f9475d1fe49d08f3)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/vc1.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c
index 32869b97d1..5e53680ec6 100644
--- a/libavcodec/vc1.c
+++ b/libavcodec/vc1.c
@@ -485,8 +485,8 @@ static int decode_sequence_header_adv(VC1Context *v, GetBitContext *gb)
         if(ar && ar < 14){
             v->s.avctx->sample_aspect_ratio = ff_vc1_pixel_aspect[ar];
         }else if(ar == 15){
-            w = get_bits(gb, 8);
-            h = get_bits(gb, 8);
+            w = get_bits(gb, 8) + 1;
+            h = get_bits(gb, 8) + 1;
             v->s.avctx->sample_aspect_ratio = (AVRational){w, h};
         }
         av_log(v->s.avctx, AV_LOG_DEBUG, "Aspect: %i:%i\n", v->s.avctx->sample_aspect_ratio.num, v->s.avctx->sample_aspect_ratio.den);

From fe3e7297fe56a383baca484dea2c0d603ae305f8 Mon Sep 17 00:00:00 2001
From: Luca Barbato <lu_zero@gentoo.org>
Date: Wed, 8 Jun 2011 14:32:07 +0000
Subject: [PATCH 26/73] flvenc: use int64_t to store offsets

Metadata currently is written only at the start of the file in normal
cases, when transcoding from a rtmp source metadata could be
written later and the offset recorded can exceed 32bit.

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 7f5bf4fbaf1f2142547321a16358f9871fabdcc6)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavformat/flvenc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/flvenc.c b/libavformat/flvenc.c
index 487993cd9a..bd1a1f49fe 100644
--- a/libavformat/flvenc.c
+++ b/libavformat/flvenc.c
@@ -177,7 +177,7 @@ static int flv_write_header(AVFormatContext *s)
     AVCodecContext *audio_enc = NULL, *video_enc = NULL;
     int i;
     double framerate = 0.0;
-    int metadata_size_pos, data_size;
+    int64_t metadata_size_pos, data_size;
     AVDictionaryEntry *tag = NULL;
 
     for(i=0; i<s->nb_streams; i++){

From dec458b900439316ebdefa0de2bd1249440859cf Mon Sep 17 00:00:00 2001
From: Kostya Shishkov <kostya.shishkov@gmail.com>
Date: Wed, 17 Aug 2011 10:36:33 +0200
Subject: [PATCH 27/73] rv10/20: tell decoder to use edge emulation

This removes out-of-edge motion compensation artifacts (easily spotted green
blocks in avplay, gray blocks in transcoding), for example here:
http://samples.libav.org/samples/real/tv_watching_t1.rm

Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit 331971116d7d36743601bd2dc5384c5211d3bb48)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/rv10.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c
index 6227dc6f6c..78f97b16b1 100644
--- a/libavcodec/rv10.c
+++ b/libavcodec/rv10.c
@@ -438,6 +438,7 @@ static av_cold int rv10_decode_init(AVCodecContext *avctx)
     s->avctx= avctx;
     s->out_format = FMT_H263;
     s->codec_id= avctx->codec_id;
+    avctx->flags |= CODEC_FLAG_EMU_EDGE;
 
     s->orig_width = s->width  = avctx->coded_width;
     s->orig_height= s->height = avctx->coded_height;

From b4099a6dc539c54156a788c7020356c54bc6485e Mon Sep 17 00:00:00 2001
From: Alex Converse <alex.converse@gmail.com>
Date: Tue, 16 Aug 2011 11:03:26 -0700
Subject: [PATCH 28/73] aac: Only output configure if audio was found.

Audio found is not triggered on a CCE because a CCE alone has no output.

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit d8425ed4af6d8fce62ff363cc590f85e57bac06b)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/aacdec.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c
index f94b109de5..2958ddbe72 100644
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -2074,7 +2074,7 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data,
     ChannelElement *che = NULL, *che_prev = NULL;
     enum RawDataBlockType elem_type, elem_type_prev = TYPE_END;
     int err, elem_id, data_size_tmp;
-    int samples = 0, multiplier;
+    int samples = 0, multiplier, audio_found = 0;
 
     if (show_bits(gb, 12) == 0xfff) {
         if (parse_adts_frame_header(ac, gb) < 0) {
@@ -2105,10 +2105,12 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data,
 
         case TYPE_SCE:
             err = decode_ics(ac, &che->ch[0], gb, 0, 0);
+            audio_found = 1;
             break;
 
         case TYPE_CPE:
             err = decode_cpe(ac, gb, che);
+            audio_found = 1;
             break;
 
         case TYPE_CCE:
@@ -2117,6 +2119,7 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data,
 
         case TYPE_LFE:
             err = decode_ics(ac, &che->ch[0], gb, 0, 0);
+            audio_found = 1;
             break;
 
         case TYPE_DSE:
@@ -2193,7 +2196,7 @@ static int aac_decode_frame_int(AVCodecContext *avctx, void *data,
                                                    samples, avctx->channels);
     }
 
-    if (ac->output_configured)
+    if (ac->output_configured && audio_found)
         ac->output_configured = OC_LOCKED;
 
     return 0;

From 8ad6555f820cc8db5debd5f76d8779cd329def20 Mon Sep 17 00:00:00 2001
From: Jeff Downs <heydowns@somuchpressure.net>
Date: Tue, 5 Jul 2011 14:21:54 -0400
Subject: [PATCH 29/73] h264: correct the check for invalid long term frame
 index in MMCO decode

The current check on MMCO parameters prohibits a "max long term frame index
plus 1" of 16 (frame idx of 15) for the "set max long term frame index" MMCO.
Fix this off-by-one error to allow the full range of legal values.

Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit 29a09eae9a827f4dbc9c4517180d8fe2ecef321a)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/h264_refs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c
index a025f7d352..b1c27ec810 100644
--- a/libavcodec/h264_refs.c
+++ b/libavcodec/h264_refs.c
@@ -678,7 +678,7 @@ int ff_h264_decode_ref_pic_marking(H264Context *h, GetBitContext *gb){
                 }
                 if(opcode==MMCO_SHORT2LONG || opcode==MMCO_LONG2UNUSED || opcode==MMCO_LONG || opcode==MMCO_SET_MAX_LONG){
                     unsigned int long_arg= get_ue_golomb_31(gb);
-                    if(long_arg >= 32 || (long_arg >= 16 && !(opcode == MMCO_LONG2UNUSED && FIELD_PICTURE))){
+                    if(long_arg >= 32 || (long_arg >= 16 && !(opcode == MMCO_SET_MAX_LONG && long_arg == 16) && !(opcode == MMCO_LONG2UNUSED && FIELD_PICTURE))){
                         av_log(h->s.avctx, AV_LOG_ERROR, "illegal long ref in memory management control operation %d\n", opcode);
                         return -1;
                     }

From 45b3f7c71ec213a2f4177e866586660fcbc68ecd Mon Sep 17 00:00:00 2001
From: Jeff Downs <heydowns@somuchpressure.net>
Date: Wed, 6 Jul 2011 11:54:36 -0400
Subject: [PATCH 30/73] h264: correct implicit weight table computation for
 long ref pics

Correct computation of implicit weight tables when referencing pictures
that are marked for long reference.

Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit 87cf70eb237e7586cc7399627dafa1b980ec0b7d)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/h264.c | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index 99be210d13..1c60de7023 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -2198,15 +2198,17 @@ static void implicit_weight_table(H264Context *h, int field){
     for(ref0=ref_start; ref0 < ref_count0; ref0++){
         int poc0 = h->ref_list[0][ref0].poc;
         for(ref1=ref_start; ref1 < ref_count1; ref1++){
-            int poc1 = h->ref_list[1][ref1].poc;
-            int td = av_clip(poc1 - poc0, -128, 127);
-            int w= 32;
-            if(td){
-                int tb = av_clip(cur_poc - poc0, -128, 127);
-                int tx = (16384 + (FFABS(td) >> 1)) / td;
-                int dist_scale_factor = (tb*tx + 32) >> 8;
-                if(dist_scale_factor >= -64 && dist_scale_factor <= 128)
-                    w = 64 - dist_scale_factor;
+            int w = 32;
+            if (!h->ref_list[0][ref0].long_ref && !h->ref_list[1][ref1].long_ref) {
+                int poc1 = h->ref_list[1][ref1].poc;
+                int td = av_clip(poc1 - poc0, -128, 127);
+                if(td){
+                    int tb = av_clip(cur_poc - poc0, -128, 127);
+                    int tx = (16384 + (FFABS(td) >> 1)) / td;
+                    int dist_scale_factor = (tb*tx + 32) >> 8;
+                    if(dist_scale_factor >= -64 && dist_scale_factor <= 128)
+                        w = 64 - dist_scale_factor;
+                }
             }
             if(field<0){
                 h->implicit_weight[ref0][ref1][0]=

From ce8f40a7b9e9fd8bc47181dc4a2b4de0042dac72 Mon Sep 17 00:00:00 2001
From: Jeff Downs <heydowns@somuchpressure.net>
Date: Tue, 5 Jul 2011 13:20:06 -0400
Subject: [PATCH 31/73] h264: fix PCM intra-coded blocks in monochrome case

Signed-off-by: Diego Biurrun <diego@biurrun.de>
(cherry picked from commit 6581e161c5f46733a5619208483de29416eb9a51)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/h264.c | 46 ++++++++++++++++++++++++++++++++++------------
 1 file changed, 34 insertions(+), 12 deletions(-)

diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index 1c60de7023..75075f6b3c 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -1851,15 +1851,30 @@ static av_always_inline void hl_decode_mb_internal(H264Context *h, int simple, i
                     tmp_y[j] = get_bits(&gb, bit_depth);
             }
             if(simple || !CONFIG_GRAY || !(s->flags&CODEC_FLAG_GRAY)){
-                for (i = 0; i < 8; i++) {
-                    uint16_t *tmp_cb = (uint16_t*)(dest_cb + i*uvlinesize);
-                    for (j = 0; j < 8; j++)
-                        tmp_cb[j] = get_bits(&gb, bit_depth);
-                }
-                for (i = 0; i < 8; i++) {
-                    uint16_t *tmp_cr = (uint16_t*)(dest_cr + i*uvlinesize);
-                    for (j = 0; j < 8; j++)
-                        tmp_cr[j] = get_bits(&gb, bit_depth);
+                if (!h->sps.chroma_format_idc) {
+                    for (i = 0; i < 8; i++) {
+                        uint16_t *tmp_cb = (uint16_t*)(dest_cb + i*uvlinesize);
+                        for (j = 0; j < 8; j++) {
+                            tmp_cb[j] = 1 << (bit_depth - 1);
+                        }
+                    }
+                    for (i = 0; i < 8; i++) {
+                        uint16_t *tmp_cr = (uint16_t*)(dest_cr + i*uvlinesize);
+                        for (j = 0; j < 8; j++) {
+                            tmp_cr[j] = 1 << (bit_depth - 1);
+                        }
+                    }
+                } else {
+                    for (i = 0; i < 8; i++) {
+                        uint16_t *tmp_cb = (uint16_t*)(dest_cb + i*uvlinesize);
+                        for (j = 0; j < 8; j++)
+                            tmp_cb[j] = get_bits(&gb, bit_depth);
+                    }
+                    for (i = 0; i < 8; i++) {
+                        uint16_t *tmp_cr = (uint16_t*)(dest_cr + i*uvlinesize);
+                        for (j = 0; j < 8; j++)
+                            tmp_cr[j] = get_bits(&gb, bit_depth);
+                    }
                 }
             }
         } else {
@@ -1867,9 +1882,16 @@ static av_always_inline void hl_decode_mb_internal(H264Context *h, int simple, i
                 memcpy(dest_y + i*  linesize, h->mb       + i*8, 16);
             }
             if(simple || !CONFIG_GRAY || !(s->flags&CODEC_FLAG_GRAY)){
-                for (i=0; i<8; i++) {
-                    memcpy(dest_cb+ i*uvlinesize, h->mb + 128 + i*4,  8);
-                    memcpy(dest_cr+ i*uvlinesize, h->mb + 160 + i*4,  8);
+                if (!h->sps.chroma_format_idc) {
+                    for (i = 0; i < 8; i++) {
+                        memset(dest_cb + i*uvlinesize, 128, 8);
+                        memset(dest_cr + i*uvlinesize, 128, 8);
+                    }
+                } else {
+                    for (i = 0; i < 8; i++) {
+                        memcpy(dest_cb + i*uvlinesize, h->mb + 128 + i*4,  8);
+                        memcpy(dest_cr + i*uvlinesize, h->mb + 160 + i*4,  8);
+                    }
                 }
             }
         }

From 97ce2a29b623f785f6b542846746f51018230df4 Mon Sep 17 00:00:00 2001
From: "Ronald S. Bultje" <rsbultje@gmail.com>
Date: Wed, 24 Aug 2011 14:36:16 -0700
Subject: [PATCH 32/73] vc1: properly zero coded_block[] edges on new slice
 entry.

Previously, we would leave the left edge uninitialized, which led to
CBP prediction errors on slice edges, e.g. in SA10098.vc1.
(cherry picked from commit d4b9974465baf893e90527a366e7a7411ded1ef8)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/vc1dec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c
index 8fca2da738..b17ce30b5c 100644
--- a/libavcodec/vc1dec.c
+++ b/libavcodec/vc1dec.c
@@ -3020,7 +3020,7 @@ static void vc1_decode_i_blocks_adv(VC1Context *v)
         s->mb_x = 0;
         ff_init_block_index(s);
         memset(&s->coded_block[s->block_index[0]-s->b8_stride], 0,
-               s->b8_stride * sizeof(*s->coded_block));
+               (1 + s->b8_stride) * sizeof(*s->coded_block));
     }
     for(; s->mb_y < s->end_mb_y; s->mb_y++) {
         s->mb_x = 0;

From db5e27f94ed8e74c2cca45b61085ebad7180e22d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alberto=20Delm=C3=A1s?= <adelmas@gmail.com>
Date: Thu, 25 Aug 2011 11:00:37 +0200
Subject: [PATCH 33/73] VC1: Fix first/last row checks with slices

In some places 0/mb_height were used in place of start_mb_y/end_mb_y.

Fixes SA00049, SA00058, SA10091, SA10097, SA10131, SA20021, SA30030

Improves PSNR in SA00054, SA00059, SA00060, SA10096, SA10098, SA20022,
SA30031, SA30032, SA40012, SA40013

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 1cf82cab0840d669198ea76ab0363aa661950647)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/vc1dec.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c
index b17ce30b5c..c87558bc50 100644
--- a/libavcodec/vc1dec.c
+++ b/libavcodec/vc1dec.c
@@ -243,7 +243,7 @@ static void vc1_loop_filter_iblk(VC1Context *v, int pq)
     }
     v->vc1dsp.vc1_v_loop_filter16(s->dest[0] + 8*s->linesize, s->linesize, pq);
 
-    if (s->mb_y == s->mb_height-1) {
+    if (s->mb_y == s->end_mb_y-1) {
         if (s->mb_x) {
             v->vc1dsp.vc1_h_loop_filter16(s->dest[0], s->linesize, pq);
             v->vc1dsp.vc1_h_loop_filter8(s->dest[1], s->uvlinesize, pq);
@@ -295,7 +295,7 @@ static void vc1_loop_filter_iblk_delayed(VC1Context *v, int pq)
             v->vc1dsp.vc1_v_loop_filter16(s->dest[0] - 8 * s->linesize, s->linesize, pq);
         }
 
-        if (s->mb_y == s->mb_height) {
+        if (s->mb_y == s->end_mb_y) {
             if (s->mb_x) {
                 if (s->mb_x >= 2)
                     v->vc1dsp.vc1_h_loop_filter16(s->dest[0] - 16 * s->linesize - 16, s->linesize, pq);
@@ -2330,7 +2330,7 @@ static av_always_inline void vc1_apply_p_v_loop_filter(VC1Context *v, int block_
     } else {
         dst      = s->dest[0] + (block_num & 1) * 8 + ((block_num & 2) * 4 - 8) * linesize;
     }
-    if (s->mb_y != s->mb_height || block_num < 2) {
+    if (s->mb_y != s->end_mb_y || block_num < 2) {
         int16_t (*mv)[2];
         int mv_stride;
 
@@ -3096,7 +3096,7 @@ static void vc1_decode_i_blocks_adv(VC1Context *v)
         if(v->s.loop_filter) vc1_loop_filter_iblk_delayed(v, v->pq);
     }
     if (v->s.loop_filter)
-        ff_draw_horiz_band(s, (s->mb_height-1)*16, 16);
+        ff_draw_horiz_band(s, (s->end_mb_y-1)*16, 16);
     ff_er_add_slice(s, 0, s->start_mb_y, s->mb_width - 1, s->end_mb_y - 1, (AC_END|DC_END|MV_END));
 }
 
@@ -3219,7 +3219,7 @@ static void vc1_decode_b_blocks(VC1Context *v)
         s->first_slice_line = 0;
     }
     if (v->s.loop_filter)
-        ff_draw_horiz_band(s, (s->mb_height-1)*16, 16);
+        ff_draw_horiz_band(s, (s->end_mb_y-1)*16, 16);
     ff_er_add_slice(s, 0, s->start_mb_y, s->mb_width - 1, s->end_mb_y - 1, (AC_END|DC_END|MV_END));
 }
 
@@ -3227,9 +3227,9 @@ static void vc1_decode_skip_blocks(VC1Context *v)
 {
     MpegEncContext *s = &v->s;
 
-    ff_er_add_slice(s, 0, 0, s->mb_width - 1, s->mb_height - 1, (AC_END|DC_END|MV_END));
+    ff_er_add_slice(s, 0, s->start_mb_y, s->mb_width - 1, s->end_mb_y - 1, (AC_END|DC_END|MV_END));
     s->first_slice_line = 1;
-    for(s->mb_y = 0; s->mb_y < s->mb_height; s->mb_y++) {
+    for(s->mb_y = s->start_mb_y; s->mb_y < s->end_mb_y; s->mb_y++) {
         s->mb_x = 0;
         ff_init_block_index(s);
         ff_update_block_index(s);

From 2b74db8d2781202742535a466a371a10a108b141 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Wed, 9 Mar 2011 03:30:24 +0100
Subject: [PATCH 34/73] vf_scale: don't leak SWS context.

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 52982dbe474663709033e1ad259f8ff7a5a2eefa)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavfilter/vf_scale.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavfilter/vf_scale.c b/libavfilter/vf_scale.c
index 65fe01c9ae..5288d32116 100644
--- a/libavfilter/vf_scale.c
+++ b/libavfilter/vf_scale.c
@@ -205,6 +205,8 @@ static int config_props(AVFilterLink *outlink)
 
     scale->input_is_pal = av_pix_fmt_descriptors[inlink->format].flags & PIX_FMT_PAL;
 
+    if (scale->sws)
+        sws_freeContext(scale->sws);
     scale->sws = sws_getContext(inlink ->w, inlink ->h, inlink ->format,
                                 outlink->w, outlink->h, outlink->format,
                                 scale->flags, NULL, NULL, NULL);

From 1cf3ba89711748b340c31fe018a3a72e8e9b75f1 Mon Sep 17 00:00:00 2001
From: Sean McGovern <gseanmcg@gmail.com>
Date: Mon, 25 Jul 2011 18:51:02 -0400
Subject: [PATCH 35/73] cpu detection: avoid a signed overflow

1<<31 overflows because 1 is signed, so force it to unsigned.

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
(cherry picked from commit 5938e02185430ca711106aaec9b5622dbf588af3)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavutil/x86/cpu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavutil/x86/cpu.c b/libavutil/x86/cpu.c
index 78aeadf0a1..f747e4dba8 100644
--- a/libavutil/x86/cpu.c
+++ b/libavutil/x86/cpu.c
@@ -113,7 +113,7 @@ int ff_get_cpu_flags_x86(void)
 
     if(max_ext_level >= 0x80000001){
         cpuid(0x80000001, eax, ebx, ecx, ext_caps);
-        if (ext_caps & (1<<31))
+        if (ext_caps & (1U<<31))
             rval |= AV_CPU_FLAG_3DNOW;
         if (ext_caps & (1<<30))
             rval |= AV_CPU_FLAG_3DNOWEXT;

From 54f12d2889390293d59c2a9c36f1bf78fbca8dca Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Tue, 23 Aug 2011 07:46:51 +0200
Subject: [PATCH 36/73] AVOptions: fix av_set_string3() doxy to match reality.

Fixes bug 28.
(cherry picked from commit e955a682e125d44143415ff2b96a99a4dac78da2)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavutil/opt.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavutil/opt.h b/libavutil/opt.h
index 30aa54f5b6..ce65865069 100644
--- a/libavutil/opt.h
+++ b/libavutil/opt.h
@@ -134,7 +134,7 @@ const AVOption *av_find_opt(void *obj, const char *name, const char *unit, int m
  *              when 0 then no av_free() nor av_strdup() will be used
  * @return 0 if the value has been set, or an AVERROR code in case of
  * error:
- * AVERROR(ENOENT) if no matching option exists
+ * AVERROR_OPTION_NOT_FOUND if no matching option exists
  * AVERROR(ERANGE) if the value is out of range
  * AVERROR(EINVAL) if the value is not valid
  */

From a4f2973b2dfb2efe41d4e387eb9be404511da5e0 Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Sun, 4 Sep 2011 09:56:47 +0200
Subject: [PATCH 37/73] lavc: fix type for thread_type option

It should be flags, not int.
(cherry picked from commit fb47997edb9d8ff16fc380d005a08c0545624aa6)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/options.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/options.c b/libavcodec/options.c
index ae9e0c902d..6f25ebe6d4 100644
--- a/libavcodec/options.c
+++ b/libavcodec/options.c
@@ -446,7 +446,7 @@ static const AVOption options[]={
 {"lpc_passes", "deprecated, use flac-specific options", OFFSET(lpc_passes), FF_OPT_TYPE_INT, {.dbl = -1 }, INT_MIN, INT_MAX, A|E},
 #endif
 {"slices", "number of slices, used in parallelized decoding", OFFSET(slices), FF_OPT_TYPE_INT, {.dbl = 0 }, 0, INT_MAX, V|E},
-{"thread_type", "select multithreading type", OFFSET(thread_type), FF_OPT_TYPE_INT, {.dbl = FF_THREAD_SLICE|FF_THREAD_FRAME }, 0, INT_MAX, V|E|D, "thread_type"},
+{"thread_type", "select multithreading type", OFFSET(thread_type), FF_OPT_TYPE_FLAGS, {.dbl = FF_THREAD_SLICE|FF_THREAD_FRAME }, 0, INT_MAX, V|E|D, "thread_type"},
 {"slice", NULL, 0, FF_OPT_TYPE_CONST, {.dbl = FF_THREAD_SLICE }, INT_MIN, INT_MAX, V|E|D, "thread_type"},
 {"frame", NULL, 0, FF_OPT_TYPE_CONST, {.dbl = FF_THREAD_FRAME }, INT_MIN, INT_MAX, V|E|D, "thread_type"},
 {"vbv_delay", "initial buffer fill time in periods of 27Mhz clock", 0, FF_OPT_TYPE_INT64, {.dbl = 0 }, 0, INT64_MAX},

From aee461277a54736511fdcb6298f0e7f9d90e0672 Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Wed, 7 Sep 2011 23:12:32 +0200
Subject: [PATCH 38/73] Fixed invalid access in wavpack decoder on corrupted
 extra bits sub-blocks.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit beefafda639dd53fc59c21d8a7cf8334da9a1062)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/wavpack.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
index e4fe217f59..64725c72c0 100644
--- a/libavcodec/wavpack.c
+++ b/libavcodec/wavpack.c
@@ -385,7 +385,7 @@ static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc, in
     if(s->extra_bits){
         S <<= s->extra_bits;
 
-        if(s->got_extra_bits){
+        if(s->got_extra_bits && get_bits_left(&s->gb_extra_bits) >= s->extra_bits){
             S |= get_bits(&s->gb_extra_bits, s->extra_bits);
             *crc = *crc * 9 + (S&0xffff) * 3 + ((unsigned)S>>16);
         }

From 685940da4c843beb9283a21718cbd2fa4fa5d796 Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Wed, 7 Sep 2011 22:17:39 +0200
Subject: [PATCH 39/73] Fixed invalid writes in wavpack decoder on corrupted
 bitstreams.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 0aedab03405849962b469277afe047aa2c61a87f)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/wavpack.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
index 64725c72c0..5bd677e45e 100644
--- a/libavcodec/wavpack.c
+++ b/libavcodec/wavpack.c
@@ -1113,7 +1113,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no,
             int16_t *dst = (int16_t*)samples + 1;
             int16_t *src = (int16_t*)samples;
             int cnt = samplecount;
-            while(cnt--){
+            while(cnt-- > 0){
                 *dst = *src;
                 src += channel_stride;
                 dst += channel_stride;
@@ -1122,7 +1122,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no,
             int32_t *dst = (int32_t*)samples + 1;
             int32_t *src = (int32_t*)samples;
             int cnt = samplecount;
-            while(cnt--){
+            while(cnt-- > 0){
                 *dst = *src;
                 src += channel_stride;
                 dst += channel_stride;
@@ -1131,7 +1131,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no,
             float *dst = (float*)samples + 1;
             float *src = (float*)samples;
             int cnt = samplecount;
-            while(cnt--){
+            while(cnt-- > 0){
                 *dst = *src;
                 src += channel_stride;
                 dst += channel_stride;

From 4b84e995ad88f3bfa533c38218f2791c14fd72f0 Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Wed, 7 Sep 2011 22:02:55 +0200
Subject: [PATCH 40/73] Fixed invalid access in wavpack decoder on corrupted
 bitstream.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 55354b7de21e7bb4bbeb1c12ff55ea17f807c70c)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/wavpack.c | 49 +++++++++++++++++++++++++++++++-------------
 1 file changed, 35 insertions(+), 14 deletions(-)

diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
index 5bd677e45e..343120f494 100644
--- a/libavcodec/wavpack.c
+++ b/libavcodec/wavpack.c
@@ -292,7 +292,14 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel
             }
         }else{
             t = get_unary_0_33(gb);
-            if(t >= 2) t = get_bits(gb, t - 1) | (1 << (t-1));
+            if(t >= 2){
+                if(get_bits_left(gb) < t-1)
+                    goto error;
+                t = get_bits(gb, t - 1) | (1 << (t-1));
+            }else{
+                if(get_bits_left(gb) < 0)
+                    goto error;
+            }
             ctx->zeroes = t;
             if(ctx->zeroes){
                 memset(ctx->ch[0].median, 0, sizeof(ctx->ch[0].median));
@@ -303,24 +310,24 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel
         }
     }
 
-    if(get_bits_count(gb) >= ctx->data_size){
-        *last = 1;
-        return 0;
-    }
-
     if(ctx->zero){
         t = 0;
         ctx->zero = 0;
     }else{
         t = get_unary_0_33(gb);
-        if(get_bits_count(gb) >= ctx->data_size){
-            *last = 1;
-            return 0;
-        }
+        if(get_bits_left(gb) < 0)
+            goto error;
         if(t == 16) {
             t2 = get_unary_0_33(gb);
-            if(t2 < 2) t += t2;
-            else t += get_bits(gb, t2 - 1) | (1 << (t2 - 1));
+            if(t2 < 2){
+                if(get_bits_left(gb) < 0)
+                    goto error;
+                t += t2;
+            }else{
+                if(get_bits_left(gb) < t2 - 1)
+                    goto error;
+                t += get_bits(gb, t2 - 1) | (1 << (t2 - 1));
+            }
         }
 
         if(ctx->one){
@@ -360,9 +367,13 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel
     }
     if(!c->error_limit){
         ret = base + get_tail(gb, add);
+        if (get_bits_left(gb) <= 0)
+            goto error;
     }else{
         int mid = (base*2 + add + 1) >> 1;
         while(add > c->error_limit){
+            if(get_bits_left(gb) <= 0)
+                goto error;
             if(get_bits1(gb)){
                 add -= (mid - base);
                 base = mid;
@@ -376,6 +387,10 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb, int channel
     if(ctx->hybrid_bitrate)
         c->slow_level += wp_log2(ret) - LEVEL_DECAY(c->slow_level);
     return sign ? ~ret : ret;
+
+error:
+    *last = 1;
+    return 0;
 }
 
 static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc, int S)
@@ -580,7 +595,10 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, GetBitContext *gb, vo
         count++;
     }while(!last && count < s->max_samples);
 
-    s->samples_left -= count;
+    if (last)
+        s->samples_left = 0;
+    else
+        s->samples_left -= count;
     if(!s->samples_left){
         if(crc != s->CRC){
             av_log(s->avctx, AV_LOG_ERROR, "CRC error\n");
@@ -658,7 +676,10 @@ static inline int wv_unpack_mono(WavpackFrameContext *s, GetBitContext *gb, void
         count++;
     }while(!last && count < s->max_samples);
 
-    s->samples_left -= count;
+    if (last)
+        s->samples_left = 0;
+    else
+        s->samples_left -= count;
     if(!s->samples_left){
         if(crc != s->CRC){
             av_log(s->avctx, AV_LOG_ERROR, "CRC error\n");

From 5d4c065476da547fd1a8a604e3047e1b3a7a29d8 Mon Sep 17 00:00:00 2001
From: Alex Converse <alex.converse@gmail.com>
Date: Thu, 8 Sep 2011 11:02:43 -0700
Subject: [PATCH 41/73] wavpack: Check error codes rather than working around
 error conditions.

(cherry picked from commit dba2b63a98bdcac7bda1a8a2c48950518c075e17)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/wavpack.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
index 343120f494..f614c7afec 100644
--- a/libavcodec/wavpack.c
+++ b/libavcodec/wavpack.c
@@ -1119,6 +1119,10 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no,
             samplecount = wv_unpack_stereo(s, &s->gb, samples, AV_SAMPLE_FMT_S32);
         else
             samplecount = wv_unpack_stereo(s, &s->gb, samples, AV_SAMPLE_FMT_FLT);
+
+        if (samplecount < 0)
+            return -1;
+
         samplecount >>= 1;
     }else{
         const int channel_stride = avctx->channels;
@@ -1130,11 +1134,14 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no,
         else
             samplecount = wv_unpack_mono(s, &s->gb, samples, AV_SAMPLE_FMT_FLT);
 
+        if (samplecount < 0)
+            return -1;
+
         if(s->stereo && avctx->sample_fmt == AV_SAMPLE_FMT_S16){
             int16_t *dst = (int16_t*)samples + 1;
             int16_t *src = (int16_t*)samples;
             int cnt = samplecount;
-            while(cnt-- > 0){
+            while(cnt--){
                 *dst = *src;
                 src += channel_stride;
                 dst += channel_stride;
@@ -1143,7 +1150,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no,
             int32_t *dst = (int32_t*)samples + 1;
             int32_t *src = (int32_t*)samples;
             int cnt = samplecount;
-            while(cnt-- > 0){
+            while(cnt--){
                 *dst = *src;
                 src += channel_stride;
                 dst += channel_stride;
@@ -1152,7 +1159,7 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no,
             float *dst = (float*)samples + 1;
             float *src = (float*)samples;
             int cnt = samplecount;
-            while(cnt-- > 0){
+            while(cnt--){
                 *dst = *src;
                 src += channel_stride;
                 dst += channel_stride;

From 07b3c4cde582a91377372d1dd2afe7c79230f56e Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Fri, 9 Sep 2011 22:04:09 +0200
Subject: [PATCH 42/73] ffv1: Fixed size given to init_get_bits() in decoder.

init_get_bits() takes a number of bits and not a number of bytes as
its size argument.

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit 46b004959bb7870a361a57272cd5fa7eea34250b)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/ffv1.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c
index 50f1062ad4..ab2cc6e7cd 100644
--- a/libavcodec/ffv1.c
+++ b/libavcodec/ffv1.c
@@ -1765,7 +1765,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
         bytes_read = c->bytestream - c->bytestream_start - 1;
         if(bytes_read ==0) av_log(avctx, AV_LOG_ERROR, "error at end of AC stream\n"); //FIXME
 //printf("pos=%d\n", bytes_read);
-        init_get_bits(&f->slice_context[0]->gb, buf + bytes_read, buf_size - bytes_read);
+        init_get_bits(&f->slice_context[0]->gb, buf + bytes_read, (buf_size - bytes_read) * 8);
     } else {
         bytes_read = 0; /* avoid warning */
     }
@@ -1782,7 +1782,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
         if(fs->ac){
             ff_init_range_decoder(&fs->c, buf_p, v);
         }else{
-            init_get_bits(&fs->gb, buf_p, v);
+            init_get_bits(&fs->gb, buf_p, v * 8);
         }
     }
 

From af32fa929a81188c4c451f8648f2f650dcf5228a Mon Sep 17 00:00:00 2001
From: Alex Converse <alex.converse@gmail.com>
Date: Fri, 9 Sep 2011 13:24:19 -0700
Subject: [PATCH 43/73] indeo2: init_get_bits size in bits instead of bytes

(cherry picked from commit 68ca330cbd479111db9cb7649d7530ad59f04cc8)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/indeo2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c
index 0e588c3966..6cf893b15e 100644
--- a/libavcodec/indeo2.c
+++ b/libavcodec/indeo2.c
@@ -165,7 +165,7 @@ static int ir2_decode_frame(AVCodecContext *avctx,
 #endif
     start = 48; /* hardcoded for now */
 
-    init_get_bits(&s->gb, buf + start, buf_size - start);
+    init_get_bits(&s->gb, buf + start, (buf_size - start) * 8);
 
     if (s->decode_delta) { /* intraframe */
         ir2_decode_plane(s, avctx->width, avctx->height,

From 6550e2b5c51cf7d3d40f666f6966b57f622ffffc Mon Sep 17 00:00:00 2001
From: Alex Converse <alex.converse@gmail.com>
Date: Fri, 9 Sep 2011 13:26:49 -0700
Subject: [PATCH 44/73] indeo2: fail if input buffer too small

(cherry picked from commit b7ce4f1d1c3add86ece7ca595ea6c4a10b471055)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/indeo2.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libavcodec/indeo2.c b/libavcodec/indeo2.c
index 6cf893b15e..544f476774 100644
--- a/libavcodec/indeo2.c
+++ b/libavcodec/indeo2.c
@@ -156,6 +156,13 @@ static int ir2_decode_frame(AVCodecContext *avctx,
         return -1;
     }
 
+    start = 48; /* hardcoded for now */
+
+    if (start >= buf_size) {
+        av_log(s->avctx, AV_LOG_ERROR, "input buffer size too small (%d)\n", buf_size);
+        return AVERROR_INVALIDDATA;
+    }
+
     s->decode_delta = buf[18];
 
     /* decide whether frame uses deltas or not */
@@ -163,7 +170,6 @@ static int ir2_decode_frame(AVCodecContext *avctx,
     for (i = 0; i < buf_size; i++)
         buf[i] = av_reverse[buf[i]];
 #endif
-    start = 48; /* hardcoded for now */
 
     init_get_bits(&s->gb, buf + start, (buf_size - start) * 8);
 

From 384ed15c2a81812757ecd182f01256f7426af290 Mon Sep 17 00:00:00 2001
From: Alex Converse <alex.converse@gmail.com>
Date: Fri, 9 Sep 2011 14:50:33 -0700
Subject: [PATCH 45/73] cljr: init_get_bits size in bits instead of bytes

(cherry picked from commit 0c1f5b93d9b97c4cc3684ba91a040e90bfc760d2)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/cljr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/cljr.c b/libavcodec/cljr.c
index e2b01e2a6a..b83919e71d 100644
--- a/libavcodec/cljr.c
+++ b/libavcodec/cljr.c
@@ -67,7 +67,7 @@ static int decode_frame(AVCodecContext *avctx,
     p->pict_type= AV_PICTURE_TYPE_I;
     p->key_frame= 1;
 
-    init_get_bits(&a->gb, buf, buf_size);
+    init_get_bits(&a->gb, buf, buf_size * 8);
 
     for(y=0; y<avctx->height; y++){
         uint8_t *luma= &a->picture.data[0][ y*a->picture.linesize[0] ];

From 9b30b7b9bfc83df9ba7c9a39fd0dcd74dfc063f3 Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Wed, 7 Sep 2011 21:43:03 +0200
Subject: [PATCH 46/73] Fixed segfault with wavpack decoder on corrupted
 decorrelation terms sub-blocks.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 8bfea4ab4e2cb32bc7bf6f697ee30a238c65d296)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/wavpack.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
index f614c7afec..155633f3ac 100644
--- a/libavcodec/wavpack.c
+++ b/libavcodec/wavpack.c
@@ -862,12 +862,13 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no,
         }
         switch(id & WP_IDF_MASK){
         case WP_ID_DECTERMS:
-            s->terms = size;
-            if(s->terms > MAX_TERMS){
+            if(size > MAX_TERMS){
                 av_log(avctx, AV_LOG_ERROR, "Too many decorrelation terms\n");
+                s->terms = 0;
                 buf += ssize;
                 continue;
             }
+            s->terms = size;
             for(i = 0; i < s->terms; i++) {
                 s->decorr[s->terms - i - 1].value = (*buf & 0x1F) - 5;
                 s->decorr[s->terms - i - 1].delta = *buf >> 5;

From 0b9b3570a3e3f3eff088ee061dbab165ff3eff2f Mon Sep 17 00:00:00 2001
From: Kostya Shishkov <kostya.shishkov@gmail.com>
Date: Mon, 12 Sep 2011 09:40:42 +0200
Subject: [PATCH 47/73] smacker demuxer: handle possible av_realloc() failure.

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 47a8589f7bc69d1a29da1dfdfbd0dfa78a9e31fd)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavformat/smacker.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libavformat/smacker.c b/libavformat/smacker.c
index db9a02bb6c..135b4ae708 100644
--- a/libavformat/smacker.c
+++ b/libavformat/smacker.c
@@ -286,11 +286,16 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt)
         for(i = 0; i < 7; i++) {
             if(flags & 1) {
                 int size;
+                uint8_t *tmpbuf;
+
                 size = avio_rl32(s->pb) - 4;
                 frame_size -= size;
                 frame_size -= 4;
                 smk->curstream++;
-                smk->bufs[smk->curstream] = av_realloc(smk->bufs[smk->curstream], size);
+                tmpbuf = av_realloc(smk->bufs[smk->curstream], size);
+                if (!tmpbuf)
+                    return AVERROR(ENOMEM);
+                smk->bufs[smk->curstream] = tmpbuf;
                 smk->buf_sizes[smk->curstream] = size;
                 ret = avio_read(s->pb, smk->bufs[smk->curstream], size);
                 if(ret != size)

From e6694dce1cbaa1ecd2cbe547c9bf45745986e2c1 Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Sat, 10 Sep 2011 00:32:12 +0200
Subject: [PATCH 48/73] Fixed size given to init_get_bits() in xan decoder.

(cherry picked from commit 393d5031c6aaaf8c2dda4eb5d676974c349fae85)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/xan.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/libavcodec/xan.c b/libavcodec/xan.c
index 876a9a5558..521764fd1c 100644
--- a/libavcodec/xan.c
+++ b/libavcodec/xan.c
@@ -95,17 +95,18 @@ static av_cold int xan_decode_init(AVCodecContext *avctx)
     return 0;
 }
 
-static int xan_huffman_decode(unsigned char *dest, const unsigned char *src,
-    int dest_len)
+static int xan_huffman_decode(unsigned char *dest, int dest_len,
+                              const unsigned char *src, int src_len)
 {
     unsigned char byte = *src++;
     unsigned char ival = byte + 0x16;
     const unsigned char * ptr = src + byte*2;
+    int ptr_len = src_len - 1 - byte*2;
     unsigned char val = ival;
     unsigned char *dest_end = dest + dest_len;
     GetBitContext gb;
 
-    init_get_bits(&gb, ptr, 0); // FIXME: no src size available
+    init_get_bits(&gb, ptr, ptr_len * 8);
 
     while ( val != 0x16 ) {
         val = src[val - 0x17 + get_bits1(&gb) * byte];
@@ -270,7 +271,8 @@ static void xan_wc3_decode_frame(XanContext *s) {
     vector_segment =    s->buf + AV_RL16(&s->buf[4]);
     imagedata_segment = s->buf + AV_RL16(&s->buf[6]);
 
-    xan_huffman_decode(opcode_buffer, huffman_segment, opcode_buffer_size);
+    xan_huffman_decode(opcode_buffer, opcode_buffer_size,
+                       huffman_segment, s->size - (huffman_segment - s->buf) );
 
     if (imagedata_segment[0] == 2)
         xan_unpack(s->buffer2, &imagedata_segment[1], s->buffer2_size);

From 61ddc8271d61b0e4ebb3b6954fc32f10799da228 Mon Sep 17 00:00:00 2001
From: Alex Converse <alex.converse@gmail.com>
Date: Fri, 9 Sep 2011 16:10:03 -0700
Subject: [PATCH 49/73] xan: Add some buffer checks

(cherry picked from commit 0872bb23b4bd2d94a8ba91070f706d1bc1c3ced8)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/xan.c | 37 +++++++++++++++++++++++++++++--------
 1 file changed, 29 insertions(+), 8 deletions(-)

diff --git a/libavcodec/xan.c b/libavcodec/xan.c
index 521764fd1c..88a9adbc30 100644
--- a/libavcodec/xan.c
+++ b/libavcodec/xan.c
@@ -106,6 +106,9 @@ static int xan_huffman_decode(unsigned char *dest, int dest_len,
     unsigned char *dest_end = dest + dest_len;
     GetBitContext gb;
 
+    if (ptr_len < 0)
+        return AVERROR_INVALIDDATA;
+
     init_get_bits(&gb, ptr, ptr_len * 8);
 
     while ( val != 0x16 ) {
@@ -245,7 +248,7 @@ static inline void xan_wc3_copy_pixel_run(XanContext *s,
     }
 }
 
-static void xan_wc3_decode_frame(XanContext *s) {
+static int xan_wc3_decode_frame(XanContext *s) {
 
     int width = s->avctx->width;
     int height = s->avctx->height;
@@ -265,14 +268,30 @@ static void xan_wc3_decode_frame(XanContext *s) {
     const unsigned char *size_segment;
     const unsigned char *vector_segment;
     const unsigned char *imagedata_segment;
+    int huffman_offset, size_offset, vector_offset, imagedata_offset;
 
-    huffman_segment =   s->buf + AV_RL16(&s->buf[0]);
-    size_segment =      s->buf + AV_RL16(&s->buf[2]);
-    vector_segment =    s->buf + AV_RL16(&s->buf[4]);
-    imagedata_segment = s->buf + AV_RL16(&s->buf[6]);
+    if (s->size < 8)
+        return AVERROR_INVALIDDATA;
 
-    xan_huffman_decode(opcode_buffer, opcode_buffer_size,
-                       huffman_segment, s->size - (huffman_segment - s->buf) );
+    huffman_offset    = AV_RL16(&s->buf[0]);
+    size_offset       = AV_RL16(&s->buf[2]);
+    vector_offset     = AV_RL16(&s->buf[4]);
+    imagedata_offset  = AV_RL16(&s->buf[6]);
+
+    if (huffman_offset   >= s->size ||
+        size_offset      >= s->size ||
+        vector_offset    >= s->size ||
+        imagedata_offset >= s->size)
+        return AVERROR_INVALIDDATA;
+
+    huffman_segment   = s->buf + huffman_offset;
+    size_segment      = s->buf + size_offset;
+    vector_segment    = s->buf + vector_offset;
+    imagedata_segment = s->buf + imagedata_offset;
+
+    if (xan_huffman_decode(opcode_buffer, opcode_buffer_size,
+                           huffman_segment, s->size - huffman_offset) < 0)
+        return AVERROR_INVALIDDATA;
 
     if (imagedata_segment[0] == 2)
         xan_unpack(s->buffer2, &imagedata_segment[1], s->buffer2_size);
@@ -358,6 +377,7 @@ static void xan_wc3_decode_frame(XanContext *s) {
         y += (x + size) / width;
         x  = (x + size) % width;
     }
+    return 0;
 }
 
 #if RUNTIME_GAMMA
@@ -519,7 +539,8 @@ static int xan_decode_frame(AVCodecContext *avctx,
     s->buf = buf;
     s->size = buf_size;
 
-    xan_wc3_decode_frame(s);
+    if (xan_wc3_decode_frame(s) < 0)
+        return AVERROR_INVALIDDATA;
 
     /* release the last frame if it is allocated */
     if (s->last_frame.data[0])

From 4ee014309c377f7cfaa9578a393864ae500136f6 Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Sun, 11 Sep 2011 19:17:40 +0200
Subject: [PATCH 50/73] ape demuxer: fix segfault on memory allocation failure.

Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 273aab99bf7be2bcda95dd64101c2317ee0fcb99)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavformat/ape.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/ape.c b/libavformat/ape.c
index 90b02619e0..b0841002a2 100644
--- a/libavformat/ape.c
+++ b/libavformat/ape.c
@@ -270,6 +270,8 @@ static int ape_read_header(AVFormatContext * s, AVFormatParameters * ap)
 
     if (ape->seektablelength > 0) {
         ape->seektable = av_malloc(ape->seektablelength);
+        if (!ape->seektable)
+            return AVERROR(ENOMEM);
         for (i = 0; i < ape->seektablelength / sizeof(uint32_t); i++)
             ape->seektable[i] = avio_rl32(pb);
     }

From 4e7905fa9ee75eed404db4d2cca69f833452bf72 Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Mon, 12 Sep 2011 20:50:13 +0200
Subject: [PATCH 51/73] Check for invalid packet size in the smacker demuxer.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit e055932f5636a82275837968eea9c8fcb5bca474)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavformat/smacker.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavformat/smacker.c b/libavformat/smacker.c
index 135b4ae708..87c59a3049 100644
--- a/libavformat/smacker.c
+++ b/libavformat/smacker.c
@@ -304,6 +304,8 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt)
             }
             flags >>= 1;
         }
+        if (frame_size < 0)
+            return AVERROR_INVALIDDATA;
         if (av_new_packet(pkt, frame_size + 768))
             return AVERROR(ENOMEM);
         if(smk->frm_size[smk->cur_frame] & 1)

From 9f391c4971d4ce2e849a6465a19d1f9da1488194 Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Mon, 12 Sep 2011 20:50:34 +0200
Subject: [PATCH 52/73] Fixed off by one packet size allocation in the smacker
 demuxer.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit a92d0fa5d234582583d41b67dddecffc2c819573)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavformat/smacker.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/smacker.c b/libavformat/smacker.c
index 87c59a3049..a817c31355 100644
--- a/libavformat/smacker.c
+++ b/libavformat/smacker.c
@@ -306,7 +306,7 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt)
         }
         if (frame_size < 0)
             return AVERROR_INVALIDDATA;
-        if (av_new_packet(pkt, frame_size + 768))
+        if (av_new_packet(pkt, frame_size + 769))
             return AVERROR(ENOMEM);
         if(smk->frm_size[smk->cur_frame] & 1)
             palchange |= 2;

From 5b1f79b092a4684c1e700ea21d5da77c68ca7d44 Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Mon, 12 Sep 2011 23:46:49 +0200
Subject: [PATCH 53/73] Check and propagate errors when VLC trees cannot be
 built in smacker decoder.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 9676ffba8346791f494451e68d2a3b37a2918a9b)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/smacker.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
index 8060e1cee7..e8de0d89c5 100644
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -134,10 +134,10 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx
             return -1;
         }
         b1 = get_bits_count(gb);
-        i1 = get_vlc2(gb, ctx->v1->table, SMKTREE_BITS, 3);
+        i1 = ctx->v1->table ? get_vlc2(gb, ctx->v1->table, SMKTREE_BITS, 3) : 0;
         b1 = get_bits_count(gb) - b1;
         b2 = get_bits_count(gb);
-        i2 = get_vlc2(gb, ctx->v2->table, SMKTREE_BITS, 3);
+        i2 = ctx->v2->table ? get_vlc2(gb, ctx->v2->table, SMKTREE_BITS, 3) : 0;
         b2 = get_bits_count(gb) - b2;
         val = ctx->recode1[i1] | (ctx->recode2[i2] << 8);
         if(val == ctx->escapes[0]) {
@@ -290,7 +290,8 @@ static int decode_header_trees(SmackVContext *smk) {
         smk->mmap_tbl[0] = 0;
         smk->mmap_last[0] = smk->mmap_last[1] = smk->mmap_last[2] = 1;
     } else {
-        smacker_decode_header_tree(smk, &gb, &smk->mmap_tbl, smk->mmap_last, mmap_size);
+        if (smacker_decode_header_tree(smk, &gb, &smk->mmap_tbl, smk->mmap_last, mmap_size))
+            return -1;
     }
     if(!get_bits1(&gb)) {
         av_log(smk->avctx, AV_LOG_INFO, "Skipping MCLR tree\n");
@@ -298,7 +299,8 @@ static int decode_header_trees(SmackVContext *smk) {
         smk->mclr_tbl[0] = 0;
         smk->mclr_last[0] = smk->mclr_last[1] = smk->mclr_last[2] = 1;
     } else {
-        smacker_decode_header_tree(smk, &gb, &smk->mclr_tbl, smk->mclr_last, mclr_size);
+        if (smacker_decode_header_tree(smk, &gb, &smk->mclr_tbl, smk->mclr_last, mclr_size))
+            return -1;
     }
     if(!get_bits1(&gb)) {
         av_log(smk->avctx, AV_LOG_INFO, "Skipping FULL tree\n");
@@ -306,7 +308,8 @@ static int decode_header_trees(SmackVContext *smk) {
         smk->full_tbl[0] = 0;
         smk->full_last[0] = smk->full_last[1] = smk->full_last[2] = 1;
     } else {
-        smacker_decode_header_tree(smk, &gb, &smk->full_tbl, smk->full_last, full_size);
+        if (smacker_decode_header_tree(smk, &gb, &smk->full_tbl, smk->full_last, full_size))
+            return -1;
     }
     if(!get_bits1(&gb)) {
         av_log(smk->avctx, AV_LOG_INFO, "Skipping TYPE tree\n");
@@ -314,7 +317,8 @@ static int decode_header_trees(SmackVContext *smk) {
         smk->type_tbl[0] = 0;
         smk->type_last[0] = smk->type_last[1] = smk->type_last[2] = 1;
     } else {
-        smacker_decode_header_tree(smk, &gb, &smk->type_tbl, smk->type_last, type_size);
+        if (smacker_decode_header_tree(smk, &gb, &smk->type_tbl, smk->type_last, type_size))
+            return -1;
     }
 
     return 0;
@@ -522,8 +526,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
         return -1;
     }
 
-    decode_header_trees(c);
-
+    if (decode_header_trees(c))
+        return -1;
 
     return 0;
 }

From 0d93b03e6861fafd3eddd9ee164cf56630c9d899 Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Mon, 12 Sep 2011 23:49:36 +0200
Subject: [PATCH 54/73] Check for invalid VLC value in smacker decoder.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 6489455495fc5bfbebcfe3f57e5d4fdd6a781091)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/smacker.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
index e8de0d89c5..9628b07492 100644
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -139,6 +139,8 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx
         b2 = get_bits_count(gb);
         i2 = ctx->v2->table ? get_vlc2(gb, ctx->v2->table, SMKTREE_BITS, 3) : 0;
         b2 = get_bits_count(gb) - b2;
+        if (i1 < 0 || i2 < 0)
+            return -1;
         val = ctx->recode1[i1] | (ctx->recode2[i2] << 8);
         if(val == ctx->escapes[0]) {
             ctx->last[0] = hc->current;

From 78cd2e18a4aa2835f6d04cf145121fc82099c1a5 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Tue, 13 Sep 2011 23:24:56 +0200
Subject: [PATCH 55/73] smacker: fix a few off by 1 errors
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

stereo & 16bit is untested due to lack of samples

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 5166376f24545207607f61ed8ff4e1b0572ff320)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/smacker.c   |   8 +--
 tests/ref/fate/smacker | 160 ++++++++++++++++++++---------------------
 2 files changed, 84 insertions(+), 84 deletions(-)

diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
index 9628b07492..1fa40def62 100644
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -624,9 +624,9 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
     if(bits) { //decode 16-bit data
         for(i = stereo; i >= 0; i--)
             pred[i] = av_bswap16(get_bits(&gb, 16));
-        for(i = 0; i < stereo; i++)
+        for(i = 0; i <= stereo; i++)
             *samples++ = pred[i];
-        for(i = 0; i < unp_size / 2; i++) {
+        for(; i < unp_size / 2; i++) {
             if(i & stereo) {
                 if(vlc[2].table)
                     res = get_vlc2(&gb, vlc[2].table, SMKTREE_BITS, 3);
@@ -658,9 +658,9 @@ static int smka_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
     } else { //8-bit data
         for(i = stereo; i >= 0; i--)
             pred[i] = get_bits(&gb, 8);
-        for(i = 0; i < stereo; i++)
+        for(i = 0; i <= stereo; i++)
             *samples8++ = pred[i];
-        for(i = 0; i < unp_size; i++) {
+        for(; i < unp_size; i++) {
             if(i & stereo){
                 if(vlc[1].table)
                     res = get_vlc2(&gb, vlc[1].table, SMKTREE_BITS, 3);
diff --git a/tests/ref/fate/smacker b/tests/ref/fate/smacker
index 85c4a9817c..df88a4ae8a 100644
--- a/tests/ref/fate/smacker
+++ b/tests/ref/fate/smacker
@@ -1,5 +1,5 @@
 0, 0, 192000, 0x8926d7fc
-1, 0, 47240, 0xad778a78
+1, 0, 47240, 0x9974897c
 0, 6390, 192000, 0x2506d384
 0, 12780, 192000, 0x9a8dc93a
 0, 19170, 192000, 0x4badb7f2
@@ -15,163 +15,163 @@
 0, 83070, 192000, 0x1a3d7971
 0, 89460, 192000, 0xa1a65bd5
 0, 95850, 192000, 0x344957b9
-1, 96408, 3128, 0x4c1564ae
+1, 96408, 3128, 0x7e4064b4
 0, 102240, 192000, 0xe23b5f4e
-1, 102792, 3128, 0x34553309
+1, 102792, 3128, 0x80883301
 0, 108630, 192000, 0xb5c2710b
-1, 109176, 3136, 0xb474d246
+1, 109176, 3136, 0x2ad2d341
 0, 115020, 192000, 0x7a25938f
-1, 115576, 3128, 0x87b868ea
+1, 115576, 3128, 0xda8468e3
 0, 121410, 192000, 0x0a84e4c9
-1, 121959, 3136, 0xf1516dc3
+1, 121959, 3136, 0x9d6f6cdf
 0, 127800, 192000, 0x94209b0d
-1, 128359, 3128, 0x867563cb
+1, 128359, 3128, 0x1aaa64b5
 0, 134190, 192000, 0xf940e51f
-1, 134743, 3128, 0x5200728c
+1, 134743, 3128, 0x9182728b
 0, 140580, 192000, 0xb9fdec42
-1, 141127, 3136, 0xeda118a0
+1, 141127, 3136, 0xfa8e17b3
 0, 146970, 192000, 0x7b04a376
-1, 147527, 3128, 0x03e2c1d6
+1, 147527, 3128, 0x0dc3c1cf
 0, 153360, 192000, 0x5fe0026b
-1, 153910, 3136, 0xc3e862b6
+1, 153910, 3136, 0x0109639d
 0, 159750, 192000, 0x775aca39
-1, 160310, 3128, 0x937a13be
+1, 160310, 3128, 0x6d8a12d9
 0, 166140, 192000, 0xae14fb32
-1, 166694, 3128, 0x7b1b9577
+1, 166694, 3128, 0x4b9a9597
 0, 172530, 192000, 0x661106e5
-1, 173078, 3136, 0x042c7113
+1, 173078, 3136, 0x9112710e
 0, 178920, 192000, 0xe8658dbf
-1, 179478, 3128, 0xac48f451
+1, 179478, 3128, 0x8cccf522
 0, 185310, 192000, 0x5359f0f9
-1, 185861, 3128, 0x018fbbe9
+1, 185861, 3128, 0x6594bbf3
 0, 191700, 192000, 0xc1ec80f4
-1, 192245, 3136, 0xc62aa7ce
+1, 192245, 3136, 0xd878a7d5
 0, 198090, 192000, 0xca53806b
-1, 198645, 3128, 0x106e3924
+1, 198645, 3128, 0xaa6e3905
 0, 204480, 192000, 0xf0766b2e
-1, 205029, 3136, 0xfeb82ecc
+1, 205029, 3136, 0x2a062e04
 0, 210870, 192000, 0x39962da8
-1, 211429, 3128, 0x7e7c005b
+1, 211429, 3128, 0x84e4006a
 0, 217260, 192000, 0x4171c37f
-1, 217812, 3128, 0x949d3560
+1, 217812, 3128, 0x85183633
 0, 223650, 192000, 0x3abf3b46
-1, 224196, 3136, 0x02bd4aff
+1, 224196, 3136, 0xb62d4b02
 0, 230040, 192000, 0xecc68313
-1, 230596, 3128, 0x4aaf4715
+1, 230596, 3128, 0xe209462a
 0, 236430, 192000, 0xea339baf
-1, 236980, 3136, 0x2958825f
+1, 236980, 3136, 0x57c4824b
 0, 242820, 192000, 0x616b8f16
-1, 243380, 3128, 0x99a5914d
+1, 243380, 3128, 0x664a9163
 0, 249210, 192000, 0xf77a8581
-1, 249763, 3128, 0xe67277a4
+1, 249763, 3128, 0xb4287874
 0, 255600, 192000, 0xb315678b
-1, 256147, 3136, 0x11296973
+1, 256147, 3136, 0xde626885
 0, 261990, 192000, 0x0a4a5218
-1, 262547, 3128, 0x5cc362f7
+1, 262547, 3128, 0x919763c2
 0, 268380, 192000, 0x98802be4
-1, 268931, 3128, 0x0c5e6586
+1, 268931, 3128, 0xa4f664e1
 0, 274770, 192000, 0xa2f0fd94
-1, 275314, 3136, 0xe940b0f9
+1, 275314, 3136, 0xa0bab0d4
 0, 281160, 192000, 0x6671c84f
-1, 281714, 3128, 0x2c9292cc
+1, 281714, 3128, 0xe938939c
 0, 287550, 192000, 0x38327e31
-1, 288098, 3136, 0xa807c096
+1, 288098, 3136, 0x3679bfc7
 0, 293940, 192000, 0xb85d3e08
-1, 294498, 3128, 0x9d2254d8
+1, 294498, 3128, 0xc96c55c3
 0, 300330, 192000, 0xdc69eba9
-1, 300882, 3128, 0xe68015b0
+1, 300882, 3128, 0x119114d6
 0, 306720, 192000, 0x8955a0b3
-1, 307265, 3136, 0x65d58029
+1, 307265, 3136, 0x42f3800f
 0, 313110, 192000, 0x714a548b
-1, 313665, 3128, 0xcffcc48c
+1, 313665, 3128, 0x4250c4ad
 0, 319500, 192000, 0xc0471de9
-1, 320049, 3136, 0x8c704944
+1, 320049, 3136, 0x5cdd4925
 0, 325890, 192000, 0x2e16e039
-1, 326449, 3128, 0x1459231d
+1, 326449, 3128, 0xa4c12360
 0, 332280, 192000, 0x9fa4b033
-1, 332833, 3128, 0x7dde4839
+1, 332833, 3128, 0x849f48de
 0, 338670, 192000, 0x4a0f9402
-1, 339216, 3136, 0xbb6890e2
+1, 339216, 3136, 0x6acd8ff9
 0, 345060, 192000, 0x1f3e6843
-1, 345616, 3128, 0xcd9a8524
+1, 345616, 3128, 0xb2758556
 0, 351450, 192000, 0x31774850
-1, 352000, 3128, 0xa244fc31
+1, 352000, 3128, 0x10f2fcb1
 0, 357840, 192000, 0x9d5336a2
-1, 358384, 3136, 0x504e2bd9
+1, 358384, 3136, 0xf0f02b23
 0, 364230, 192000, 0xf7de27a2
-1, 364784, 3128, 0x655858d8
+1, 364784, 3128, 0x64f759c6
 0, 370620, 192000, 0x98c717ce
-1, 371167, 3136, 0x46027610
+1, 371167, 3136, 0x7ec075e3
 0, 377010, 192000, 0x615b10b8
-1, 377567, 3128, 0x4192d5e3
+1, 377567, 3128, 0xf981d51e
 0, 383400, 192000, 0xd5bc0e7e
-1, 383951, 3128, 0x21d2e7fe
+1, 383951, 3128, 0xc622e8b9
 0, 389790, 192000, 0xd5bc0e7e
-1, 390335, 3136, 0x7c93e329
+1, 390335, 3136, 0xf632e2f8
 0, 396180, 192000, 0xd5bc0e7e
-1, 396735, 3128, 0xa67718c0
+1, 396735, 3128, 0xda561864
 0, 402570, 192000, 0xd5bc0e7e
-1, 403118, 3136, 0x9bb6e8a3
+1, 403118, 3136, 0x14d2e888
 0, 408960, 192000, 0xd5bc0e7e
-1, 409518, 3128, 0x0933b7a6
+1, 409518, 3128, 0x015bb869
 0, 415350, 192000, 0xd5bc0e7e
-1, 415902, 3128, 0x07f1fb57
+1, 415902, 3128, 0xedb1fb62
 0, 421740, 192000, 0xd5bc0e7e
-1, 422286, 3136, 0x8a050cfd
+1, 422286, 3136, 0xe0560c41
 0, 428130, 192000, 0xd5bc0e7e
-1, 428686, 3128, 0xdb773c0b
+1, 428686, 3128, 0x14773c9a
 0, 434520, 192000, 0xd5bc0e7e
-1, 435069, 3136, 0xd1281c53
+1, 435069, 3136, 0x850f1c82
 0, 440910, 192000, 0xd5bc0e7e
-1, 441469, 3128, 0x9f395324
+1, 441469, 3128, 0xb0bd5347
 0, 447300, 192000, 0xd5bc0e7e
-1, 447853, 3128, 0x5f13edec
+1, 447853, 3128, 0x8f82edbf
 0, 453690, 192000, 0xd5bc0e7e
-1, 454237, 3136, 0x871cbecf
+1, 454237, 3136, 0x493abee2
 0, 460080, 192000, 0xd5bc0e7e
-1, 460637, 3128, 0x799eff3e
+1, 460637, 3128, 0xf5daff3f
 0, 466470, 192000, 0xd5bc0e7e
-1, 467020, 3128, 0x3f902762
+1, 467020, 3128, 0x78ad2690
 0, 472860, 192000, 0xd5bc0e7e
-1, 473404, 3136, 0x29f8bb04
+1, 473404, 3136, 0x490ebafc
 0, 479250, 192000, 0xd5bc0e7e
-1, 479804, 3128, 0xf3523ee9
+1, 479804, 3128, 0x70333fd2
 0, 485640, 192000, 0xd5bc0e7e
-1, 486188, 3136, 0x4405c435
+1, 486188, 3136, 0x8cb1c350
 0, 492030, 192000, 0xd5bc0e7e
-1, 492588, 3128, 0x892957cb
+1, 492588, 3128, 0x8bd057cb
 0, 498420, 192000, 0xd5bc0e7e
-1, 498971, 3128, 0xdf483dbd
+1, 498971, 3128, 0x161b3dbc
 0, 504810, 192000, 0xd5bc0e7e
-1, 505355, 3136, 0x5e8ab797
+1, 505355, 3136, 0xb47fb88a
 0, 511200, 192000, 0xd5bc0e7e
-1, 511755, 3128, 0x92e13820
+1, 511755, 3128, 0x474b381e
 0, 517590, 192000, 0xd5bc0e7e
-1, 518139, 3136, 0xfde719b6
+1, 518139, 3136, 0x07c519bb
 0, 523980, 192000, 0xd5bc0e7e
-1, 524539, 3128, 0x442f17ae
+1, 524539, 3128, 0x15b916c8
 0, 530370, 192000, 0xd5bc0e7e
-1, 530922, 3128, 0x011af61f
+1, 530922, 3128, 0x0ed7f6fb
 0, 536760, 192000, 0xd5bc0e7e
-1, 537306, 3136, 0x4e3e3a6d
+1, 537306, 3136, 0x54d6397b
 0, 543150, 192000, 0xd5bc0e7e
-1, 543706, 3128, 0xc11242b9
+1, 543706, 3128, 0x437242bb
 0, 549540, 192000, 0xd5bc0e7e
-1, 550090, 3128, 0x01415b59
+1, 550090, 3128, 0x38f05c4d
 0, 555930, 192000, 0xd5bc0e7e
-1, 556473, 3136, 0x302e0e55
+1, 556473, 3136, 0x5d000e59
 0, 562320, 192000, 0xd5bc0e7e
-1, 562873, 3128, 0x20522d04
+1, 562873, 3128, 0xdeab2d04
 0, 568710, 192000, 0xd5bc0e7e
-1, 569257, 3136, 0x316a697d
+1, 569257, 3136, 0x77de6880
 0, 575100, 192000, 0xd5bc0e7e
-1, 575657, 3128, 0x6d75ee27
+1, 575657, 3128, 0xbc87ef25
 0, 581490, 192000, 0xd5bc0e7e
-1, 582041, 3128, 0xcb008ae8
+1, 582041, 3128, 0xc1638ade
 0, 587880, 192000, 0xd5bc0e7e
-1, 588424, 3136, 0xd2664b51
+1, 588424, 3136, 0xcfb64a5f
 0, 594270, 192000, 0xd5bc0e7e
-1, 594824, 3128, 0xdfcab728
+1, 594824, 3128, 0x90b1b826
 0, 600660, 192000, 0xd5bc0e7e
 1, 601208, 3136, 0x00000000
 0, 607050, 192000, 0xd5bc0e7e

From 54a178f28ff5caf8cac5493cc3f1c22ac2323fcf Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Fri, 9 Sep 2011 23:46:00 +0200
Subject: [PATCH 56/73] Fixed size given to init_get_bits().

init_get_bits() takes a number of bits and not a number of bytes as
its size argument.

Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit b59efc94347ccf0cbc2ff14a5a9e99819c5bdc4d)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/aac_adtstoasc_bsf.c | 2 +-
 libavcodec/avs.c               | 2 +-
 libavcodec/jvdec.c             | 2 +-
 libavcodec/rv34.c              | 2 +-
 libavcodec/tta.c               | 2 +-
 libavformat/movenc.c           | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/libavcodec/aac_adtstoasc_bsf.c b/libavcodec/aac_adtstoasc_bsf.c
index fbb86f8af7..d1310c4149 100644
--- a/libavcodec/aac_adtstoasc_bsf.c
+++ b/libavcodec/aac_adtstoasc_bsf.c
@@ -72,7 +72,7 @@ static int aac_adtstoasc_filter(AVBitStreamFilterContext *bsfc,
         int            pce_size = 0;
         uint8_t        pce_data[MAX_PCE_SIZE];
         if (!hdr.chan_config) {
-            init_get_bits(&gb, buf, buf_size);
+            init_get_bits(&gb, buf, buf_size * 8);
             if (get_bits(&gb, 3) != 5) {
                 av_log_missing_feature(avctx, "PCE based channel configuration, where the PCE is not the first syntax element is", 0);
                 return -1;
diff --git a/libavcodec/avs.c b/libavcodec/avs.c
index 1c2682b338..1a5e44401c 100644
--- a/libavcodec/avs.c
+++ b/libavcodec/avs.c
@@ -117,7 +117,7 @@ avs_decode_frame(AVCodecContext * avctx,
     table = buf + (256 * vect_w * vect_h);
     if (sub_type != AVS_I_FRAME) {
         int map_size = ((318 / vect_w + 7) / 8) * (198 / vect_h);
-        init_get_bits(&change_map, table, map_size);
+        init_get_bits(&change_map, table, map_size * 8);
         table += map_size;
     }
 
diff --git a/libavcodec/jvdec.c b/libavcodec/jvdec.c
index 0c346486f5..5249764347 100644
--- a/libavcodec/jvdec.c
+++ b/libavcodec/jvdec.c
@@ -150,7 +150,7 @@ static int decode_frame(AVCodecContext *avctx,
 
         if (video_type == 0 || video_type == 1) {
             GetBitContext gb;
-            init_get_bits(&gb, buf, FFMIN(video_size, buf_end - buf));
+            init_get_bits(&gb, buf, FFMIN(video_size, (buf_end - buf) * 8));
 
             for (j = 0; j < avctx->height; j += 8)
                 for (i = 0; i < avctx->width; i += 8)
diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c
index c5dcfdcba4..910b933dd9 100644
--- a/libavcodec/rv34.c
+++ b/libavcodec/rv34.c
@@ -1444,7 +1444,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
         av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n");
         return -1;
     }
-    init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), buf_size-get_slice_offset(avctx, slices_hdr, 0));
+    init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), (buf_size-get_slice_offset(avctx, slices_hdr, 0))*8);
     if(r->parse_slice_header(r, &r->s.gb, &si) < 0 || si.start){
         av_log(avctx, AV_LOG_ERROR, "First slice header is incorrect\n");
         return -1;
diff --git a/libavcodec/tta.c b/libavcodec/tta.c
index 57f5818d7b..fd5aa46670 100644
--- a/libavcodec/tta.c
+++ b/libavcodec/tta.c
@@ -216,7 +216,7 @@ static av_cold int tta_decode_init(AVCodecContext * avctx)
     if (avctx->extradata_size < 30)
         return -1;
 
-    init_get_bits(&s->gb, avctx->extradata, avctx->extradata_size);
+    init_get_bits(&s->gb, avctx->extradata, avctx->extradata_size * 8);
     if (show_bits_long(&s->gb, 32) == AV_RL32("TTA1"))
     {
         /* signature */
diff --git a/libavformat/movenc.c b/libavformat/movenc.c
index dcc5581443..0cf837c9b1 100644
--- a/libavformat/movenc.c
+++ b/libavformat/movenc.c
@@ -206,7 +206,7 @@ static int mov_write_ac3_tag(AVIOContext *pb, MOVTrack *track)
     avio_wb32(pb, 11);
     ffio_wfourcc(pb, "dac3");
 
-    init_get_bits(&gbc, track->vosData+4, track->vosLen-4);
+    init_get_bits(&gbc, track->vosData+4, (track->vosLen-4) * 8);
     fscod      = get_bits(&gbc, 2);
     frmsizecod = get_bits(&gbc, 6);
     bsid       = get_bits(&gbc, 5);

From a3d471e500674c31fa4f52a62ef789d5e7fdbd3c Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Sun, 11 Sep 2011 23:26:12 +0200
Subject: [PATCH 57/73] oggdec: fix out of bound write in the ogg demuxer

Between ogg_save() and ogg_restore() calls, the number of streams
could have been reduced.

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit 0e7efb9d23c3641d50caa288818e8c27647ce74d)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavformat/oggdec.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/libavformat/oggdec.c b/libavformat/oggdec.c
index 25f5cd8b2d..18201677b8 100644
--- a/libavformat/oggdec.c
+++ b/libavformat/oggdec.c
@@ -92,14 +92,24 @@ static int ogg_restore(AVFormatContext *s, int discard)
     ogg->state = ost->next;
 
     if (!discard){
+        struct ogg_stream *old_streams = ogg->streams;
+
         for (i = 0; i < ogg->nstreams; i++)
             av_free (ogg->streams[i].buf);
 
         avio_seek (bc, ost->pos, SEEK_SET);
         ogg->curidx = ost->curidx;
         ogg->nstreams = ost->nstreams;
-        memcpy(ogg->streams, ost->streams,
-               ost->nstreams * sizeof(*ogg->streams));
+        ogg->streams = av_realloc (ogg->streams,
+                                   ogg->nstreams * sizeof (*ogg->streams));
+
+        if (ogg->streams) {
+            memcpy(ogg->streams, ost->streams,
+                   ost->nstreams * sizeof(*ogg->streams));
+        } else {
+            av_free(old_streams);
+            ogg->nstreams = 0;
+        }
     }
 
     av_free (ost);

From 9973ca992e8499848b8d5b0b536e709109dc65e2 Mon Sep 17 00:00:00 2001
From: David Goldwich <david.goldwich@gmail.com>
Date: Sat, 17 Sep 2011 13:50:35 +0200
Subject: [PATCH 58/73] lavf: Fix context pointer in av_open_input_stream when
 avformat_open_input fails

Signed-off-by: David Goldwich <david.goldwich@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 63d64228a7f31d534e3bcae87cbd37f4a0ae2dd6)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavformat/utils.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/utils.c b/libavformat/utils.c
index 2cb096e373..d9d154e3ab 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -469,8 +469,8 @@ int av_open_input_stream(AVFormatContext **ic_ptr,
         goto fail;
     ic->pb = ic->pb ? ic->pb : pb; // don't leak custom pb if it wasn't set above
 
-    *ic_ptr = ic;
 fail:
+    *ic_ptr = ic;
     av_dict_free(&opts);
     return err;
 }

From 28d948ac44e38e8bec2f6268ccf4747ff4d992a9 Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Sun, 18 Sep 2011 00:03:08 +0200
Subject: [PATCH 59/73] rv10: Reject slices that does not have the same type as
 the first one
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This prevents crashes with some corrupted bitstreams.

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 4a29b471869353c3077fb4b25b6518eb1047afb7)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/rv10.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c
index 78f97b16b1..223500c356 100644
--- a/libavcodec/rv10.c
+++ b/libavcodec/rv10.c
@@ -543,6 +543,11 @@ static int rv10_decode_packet(AVCodecContext *avctx,
         if(MPV_frame_start(s, avctx) < 0)
             return -1;
         ff_er_frame_start(s);
+    } else {
+        if (s->current_picture_ptr->pict_type != s->pict_type) {
+            av_log(s->avctx, AV_LOG_ERROR, "Slice type mismatch\n");
+            return -1;
+        }
     }
 
     av_dlog(avctx, "qscale=%d\n", s->qscale);

From f0bcba238a540793adc514fb84e74282b04d2418 Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Sat, 17 Sep 2011 23:43:58 +0200
Subject: [PATCH 60/73] rv34: Avoid NULL dereference on corrupted bitstream
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

rv34_decode_slice() can return without allocating any pictures.

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d0f6ab0298f2309c6104626787ed73416298b019)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/rv34.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c
index 910b933dd9..2383903625 100644
--- a/libavcodec/rv34.c
+++ b/libavcodec/rv34.c
@@ -1486,7 +1486,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
             break;
     }
 
-    if(last){
+    if(last && s->current_picture_ptr){
         if(r->loop_filter)
             r->loop_filter(r, s->mb_height - 1);
         ff_er_frame_end(s);

From b4a1bf0bbf53cc6a736a608732b2ac1de5c2447b Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Sat, 17 Sep 2011 16:56:30 +0200
Subject: [PATCH 61/73] rv34: Fix potential overreads
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit b4ed3d78cb6c41c9d3ee5918c326ab925edd6a89)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/rv34.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c
index 2383903625..87fca5c23e 100644
--- a/libavcodec/rv34.c
+++ b/libavcodec/rv34.c
@@ -1436,6 +1436,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
         slice_count = (*buf++) + 1;
         slices_hdr = buf + 4;
         buf += 8 * slice_count;
+        buf_size -= 1 + 8 * slice_count;
     }else
         slice_count = avctx->slice_count;
 
@@ -1454,7 +1455,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
     if(   (avctx->skip_frame >= AVDISCARD_NONREF && si.type==AV_PICTURE_TYPE_B)
        || (avctx->skip_frame >= AVDISCARD_NONKEY && si.type!=AV_PICTURE_TYPE_I)
        ||  avctx->skip_frame >= AVDISCARD_ALL)
-        return buf_size;
+        return avpkt->size;
 
     for(i=0; i<slice_count; i++){
         int offset= get_slice_offset(avctx, slices_hdr, i);
@@ -1503,7 +1504,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
         }
         s->current_picture_ptr= NULL; //so we can detect if frame_end wasnt called (find some nicer solution...)
     }
-    return buf_size;
+    return avpkt->size;
 }
 
 av_cold int ff_rv34_decode_end(AVCodecContext *avctx)

From 2bbb142a140173e1870017b66c439f4d430a6f67 Mon Sep 17 00:00:00 2001
From: Laurent Aimar <fenrir@videolan.org>
Date: Mon, 19 Sep 2011 22:48:53 +0200
Subject: [PATCH 62/73] rv34: Check for invalid slice offsets
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 4cc7732386eb36661ed22d1200339b38a5fa60bc)

Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/rv34.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c
index 87fca5c23e..70c35ef4ff 100644
--- a/libavcodec/rv34.c
+++ b/libavcodec/rv34.c
@@ -1441,8 +1441,9 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
         slice_count = avctx->slice_count;
 
     //parse first slice header to check whether this frame can be decoded
-    if(get_slice_offset(avctx, slices_hdr, 0) > buf_size){
-        av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n");
+    if(get_slice_offset(avctx, slices_hdr, 0) < 0 ||
+       get_slice_offset(avctx, slices_hdr, 0) > buf_size){
+        av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n");
         return -1;
     }
     init_get_bits(&s->gb, buf+get_slice_offset(avctx, slices_hdr, 0), (buf_size-get_slice_offset(avctx, slices_hdr, 0))*8);
@@ -1465,8 +1466,8 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
         else
             size= get_slice_offset(avctx, slices_hdr, i+1) - offset;
 
-        if(offset > buf_size){
-            av_log(avctx, AV_LOG_ERROR, "Slice offset is greater than frame size\n");
+        if(offset < 0 || offset > buf_size || size < 0){
+            av_log(avctx, AV_LOG_ERROR, "Slice offset is invalid\n");
             break;
         }
 

From ecda54a640a7de55274ad2a86d58d0b483097aac Mon Sep 17 00:00:00 2001
From: Mans Rullgard <mans@mansr.com>
Date: Sun, 25 Sep 2011 12:53:44 +0100
Subject: [PATCH 63/73] ppc: fix 32-bit PIC build

On 32-bit ppc, the GOT pointer must be loaded manually.
This adds a "get_got" assembler macro to compute the
GOT address.  The "movrel" macro is updated to take an
additional parameter containing the GOT address since
no register is reserved for this purpose on ppc32.
These changes have no effect on ppc64 builds.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 6e4a35ced96cdf31a9d3bd82fd147554750af839)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavcodec/ppc/asm.S           | 19 ++++++++++++++++---
 libavcodec/ppc/fft_altivec_s.S |  7 ++++---
 2 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/libavcodec/ppc/asm.S b/libavcodec/ppc/asm.S
index 5cbbf97b64..4d4285b6d3 100644
--- a/libavcodec/ppc/asm.S
+++ b/libavcodec/ppc/asm.S
@@ -44,10 +44,13 @@ X(\name):
 L(\name):
 .endm
 
-.macro movrel rd, sym
+.macro movrel rd, sym, gp
     ld      \rd, \sym@got(r2)
 .endm
 
+.macro get_got rd
+.endm
+
 #else /* ARCH_PPC64 */
 
 #define PTR  .int
@@ -65,15 +68,25 @@ X(\name):
 \name:
 .endm
 
-.macro movrel rd, sym
+.macro movrel rd, sym, gp
 #if CONFIG_PIC
-    lwz     \rd, \sym@got(r2)
+    lwz     \rd, \sym@got(\gp)
 #else
     lis     \rd, \sym@ha
     la      \rd, \sym@l(\rd)
 #endif
 .endm
 
+.macro get_got rd
+#if CONFIG_PIC
+    bcl     20, 31, .Lgot\@
+.Lgot\@:
+    mflr    \rd
+    addis   \rd, \rd, _GLOBAL_OFFSET_TABLE_ - .Lgot\@@ha
+    addi    \rd, \rd, _GLOBAL_OFFSET_TABLE_ - .Lgot\@@l
+#endif
+.endm
+
 #endif /* ARCH_PPC64 */
 
 #if HAVE_IBM_ASM
diff --git a/libavcodec/ppc/fft_altivec_s.S b/libavcodec/ppc/fft_altivec_s.S
index ab33900582..958d7df0ee 100644
--- a/libavcodec/ppc/fft_altivec_s.S
+++ b/libavcodec/ppc/fft_altivec_s.S
@@ -353,6 +353,7 @@ extfunc ff_fft_calc\interleave\()_altivec
     mflr    r0
     stp     r0, 2*PS(r1)
     stpu    r1, -(160+16*PS)(r1)
+    get_got r11
     addi    r6, r1, 16*PS
     stvm    r6, v20, v21, v22, v23, v24, v25, v26, v27, v28, v29
     mfvrsave r0
@@ -360,14 +361,14 @@ extfunc ff_fft_calc\interleave\()_altivec
     li      r6, 0xfffffffc
     mtvrsave r6
 
-    movrel  r6, fft_data
+    movrel  r6, fft_data, r11
     lvm     r6, v14, v15, v16, v17, v18, v19, v20, v21
     lvm     r6, v22, v23, v24, v25, v26, v27, v28, v29
 
     li      r9, 16
-    movrel  r12, X(ff_cos_tabs)
+    movrel  r12, X(ff_cos_tabs), r11
 
-    movrel  r6, fft_dispatch_tab\interleave\()_altivec
+    movrel  r6, fft_dispatch_tab\interleave\()_altivec, r11
     lwz     r3, 0(r3)
     subi    r3, r3, 2
     slwi    r3, r3, 2+ARCH_PPC64

From dde0fb4aeaf855fc38fb002c23dbbeba06407a09 Mon Sep 17 00:00:00 2001
From: Mans Rullgard <mans@mansr.com>
Date: Sun, 25 Sep 2011 18:27:47 +0100
Subject: [PATCH 64/73] ppc: fix some pointer to integer casts

Use uintptr_t instead of plain int.  Without this change, the
comparisons will come out wrong for pointers in certain ranges.
Fixes random failures on ppc64.  Also fixes some compiler warnings.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit d853e571ad5e7e12c6a68cfde390daced7d85fbb)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libswscale/ppc/swscale_altivec.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/libswscale/ppc/swscale_altivec.c b/libswscale/ppc/swscale_altivec.c
index 42e965de95..4476e1cf67 100644
--- a/libswscale/ppc/swscale_altivec.c
+++ b/libswscale/ppc/swscale_altivec.c
@@ -36,13 +36,13 @@ altivec_packIntArrayToCharArray(int *val, uint8_t* dest, int dstW)
     register int i;
     vector unsigned int altivec_vectorShiftInt19 =
         vec_add(vec_splat_u32(10), vec_splat_u32(9));
-    if ((unsigned int)dest % 16) {
+    if ((uintptr_t)dest % 16) {
         /* badly aligned store, we force store alignment */
         /* and will handle load misalignment on val w/ vec_perm */
         vector unsigned char perm1;
         vector signed int v1;
         for (i = 0 ; (i < dstW) &&
-            (((unsigned int)dest + i) % 16) ; i++) {
+            (((uintptr_t)dest + i) % 16) ; i++) {
                 int t = val[i] >> 19;
                 dest[i] = (t < 0) ? 0 : ((t > 255) ? 255 : t);
         }
@@ -251,7 +251,7 @@ static void hScale_altivec_real(int16_t *dst, int dstW,
         vector unsigned char src_v1, src_vF;
         vector signed short src_v, filter_v;
         vector signed int val_vEven, val_s;
-        if ((((int)src + srcPos)% 16) > 12) {
+        if ((((uintptr_t)src + srcPos) % 16) > 12) {
             src_v1 = vec_ld(srcPos + 16, src);
         }
         src_vF = vec_perm(src_v0, src_v1, vec_lvsl(srcPos, src));
@@ -290,7 +290,7 @@ static void hScale_altivec_real(int16_t *dst, int dstW,
         vector unsigned char src_v1, src_vF;
         vector signed short src_v, filter_v;
         vector signed int val_v, val_s;
-        if ((((int)src + srcPos)% 16) > 8) {
+        if ((((uintptr_t)src + srcPos) % 16) > 8) {
             src_v1 = vec_ld(srcPos + 16, src);
         }
         src_vF = vec_perm(src_v0, src_v1, vec_lvsl(srcPos, src));
@@ -376,7 +376,7 @@ static void hScale_altivec_real(int16_t *dst, int dstW,
             //vector unsigned char src_v0 = vec_ld(srcPos + j, src);
             vector unsigned char src_v1, src_vF;
             vector signed short src_v, filter_v1R, filter_v;
-            if ((((int)src + srcPos)% 16) > 8) {
+            if ((((uintptr_t)src + srcPos) % 16) > 8) {
                 src_v1 = vec_ld(srcPos + j + 16, src);
             }
             src_vF = vec_perm(src_v0, src_v1, permS);

From fed7f5b04f0ddde81fe1de1af725a63461a31f6f Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sat, 24 Sep 2011 18:57:31 +0300
Subject: [PATCH 65/73] flvdec: Check for overflow before allocating arrays
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

On allocation, the array length is multiplied by sizeof(int64_t),
this prevents the multiplication from overflowing.

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit a246cefa75aed2ade315d6d09068aacb6b0fe76b)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavformat/flvdec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/flvdec.c b/libavformat/flvdec.c
index c6b386e28f..5f442f7265 100644
--- a/libavformat/flvdec.c
+++ b/libavformat/flvdec.c
@@ -147,6 +147,9 @@ static int parse_keyframes_index(AVFormatContext *s, AVIOContext *ioc, AVStream
             break;
 
         arraylen = avio_rb32(ioc);
+        if (arraylen >> 28)
+            break;
+
         /*
          * Expect only 'times' or 'filepositions' sub-arrays in other case refuse to use such metadata
          * for indexing

From ad47a5ec854d2ec6e451690622a3484010094aa2 Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Fri, 16 Sep 2011 16:06:45 +0200
Subject: [PATCH 66/73] movenc: create an alternate group for each media type

Partially fixes bug 44.

(cherry picked from commit 7574cacbd5343bc303ee8333956274716e2444d5)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavformat/movenc.c  | 3 ++-
 tests/ref/acodec/alac | 2 +-
 tests/ref/acodec/pcm  | 8 ++++----
 tests/ref/lavf/mov    | 2 +-
 4 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/libavformat/movenc.c b/libavformat/movenc.c
index 0cf837c9b1..5d9d3d1bfe 100644
--- a/libavformat/movenc.c
+++ b/libavformat/movenc.c
@@ -1214,7 +1214,8 @@ static int mov_write_tkhd_tag(AVIOContext *pb, MOVTrack *track, AVStream *st)
 
     avio_wb32(pb, 0); /* reserved */
     avio_wb32(pb, 0); /* reserved */
-    avio_wb32(pb, 0x0); /* reserved (Layer & Alternate group) */
+    avio_wb16(pb, 0); /* layer */
+    avio_wb16(pb, st->codec->codec_type); /* alternate group) */
     /* Volume, only for audio */
     if(track->enc->codec_type == AVMEDIA_TYPE_AUDIO)
         avio_wb16(pb, 0x0100);
diff --git a/tests/ref/acodec/alac b/tests/ref/acodec/alac
index 1f4b264b87..35a1d8e1bf 100644
--- a/tests/ref/acodec/alac
+++ b/tests/ref/acodec/alac
@@ -1,4 +1,4 @@
-c68f649777ab8e7c9a0f1f221451d3ad *./tests/data/acodec/alac.m4a
+b25bcc7ec3f5c19cdfc01a6bbd32edb8 *./tests/data/acodec/alac.m4a
 389386 ./tests/data/acodec/alac.m4a
 95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/alac.acodec.out.wav
 stddev:    0.00 PSNR:999.99 MAXDIFF:    0 bytes:  1058400/  1058400
diff --git a/tests/ref/acodec/pcm b/tests/ref/acodec/pcm
index 033f8bc8c6..fc9dd8f29d 100644
--- a/tests/ref/acodec/pcm
+++ b/tests/ref/acodec/pcm
@@ -6,7 +6,7 @@ f443a8eeb1647ec1eeb8370c939e52d4 *./tests/data/acodec/pcm_mulaw.wav
 529256 ./tests/data/acodec/pcm_mulaw.wav
 1c3eeaa8814ebd4916780dff80ed6dc5 *./tests/data/pcm.acodec.out.wav
 stddev:  103.38 PSNR: 56.04 MAXDIFF:  644 bytes:  1058400/  1058400
-b7936d7170e0efefb379349d81aed360 *./tests/data/acodec/pcm_s8.mov
+760f85fb9f4e8aba326fb44ae84c9507 *./tests/data/acodec/pcm_s8.mov
 530837 ./tests/data/acodec/pcm_s8.mov
 652edf30f35ad89bf27bcc9d2f9c7b53 *./tests/data/pcm.acodec.out.wav
 stddev:  147.89 PSNR: 52.93 MAXDIFF:  255 bytes:  1058400/  1058400
@@ -14,7 +14,7 @@ stddev:  147.89 PSNR: 52.93 MAXDIFF:  255 bytes:  1058400/  1058400
 529244 ./tests/data/acodec/pcm_u8.wav
 652edf30f35ad89bf27bcc9d2f9c7b53 *./tests/data/pcm.acodec.out.wav
 stddev:  147.89 PSNR: 52.93 MAXDIFF:  255 bytes:  1058400/  1058400
-c42b9c04305455250366c84e17c1023f *./tests/data/acodec/pcm_s16be.mov
+a4e18d1ca9ef5b8132a84d43625ddc47 *./tests/data/acodec/pcm_s16be.mov
 1060037 ./tests/data/acodec/pcm_s16be.mov
 95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/pcm.acodec.out.wav
 stddev:    0.00 PSNR:999.99 MAXDIFF:    0 bytes:  1058400/  1058400
@@ -30,7 +30,7 @@ c4f51bf32fad2f7af8ea5beedb56168b *./tests/data/acodec/pcm_s16le.mkv
 1060638 ./tests/data/acodec/pcm_s16le.mkv
 95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/pcm.acodec.out.wav
 stddev:    0.00 PSNR:999.99 MAXDIFF:    0 bytes:  1058400/  1058400
-07ffe7ffb78f3648b6524debdde5aec1 *./tests/data/acodec/pcm_s24be.mov
+971d2d2633e41a0326fe2d04a2d0350f *./tests/data/acodec/pcm_s24be.mov
 1589237 ./tests/data/acodec/pcm_s24be.mov
 95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/pcm.acodec.out.wav
 stddev:    0.00 PSNR:999.99 MAXDIFF:    0 bytes:  1058400/  1058400
@@ -38,7 +38,7 @@ a85380fb79b0d4fff38e24ac1e34bb94 *./tests/data/acodec/pcm_s24le.wav
 1587668 ./tests/data/acodec/pcm_s24le.wav
 95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/pcm.acodec.out.wav
 stddev:    0.00 PSNR:999.99 MAXDIFF:    0 bytes:  1058400/  1058400
-d7792f0343cd66fda8b50b569e2bcc48 *./tests/data/acodec/pcm_s32be.mov
+fc4f4e3e195bbde037ed31021d229f12 *./tests/data/acodec/pcm_s32be.mov
 2118437 ./tests/data/acodec/pcm_s32be.mov
 95e54b261530a1bcf6de6fe3b21dc5f6 *./tests/data/pcm.acodec.out.wav
 stddev:    0.00 PSNR:999.99 MAXDIFF:    0 bytes:  1058400/  1058400
diff --git a/tests/ref/lavf/mov b/tests/ref/lavf/mov
index 22aac3600e..07404aa862 100644
--- a/tests/ref/lavf/mov
+++ b/tests/ref/lavf/mov
@@ -1,3 +1,3 @@
-439684b82ccc1fdd24a23392c238ae53 *./tests/data/lavf/lavf.mov
+4a3ad13f0355cb5d119109778d555207 *./tests/data/lavf/lavf.mov
 357681 ./tests/data/lavf/lavf.mov
 ./tests/data/lavf/lavf.mov CRC=0x2f6a9b26

From 9f9b731a3a2f873b3fb1e4f52e181a43fab6b89b Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Mon, 19 Sep 2011 15:15:56 +0200
Subject: [PATCH 67/73] movenc: fix NULL reference in mov_write_tkhd_tag

st may be NULL when there are more mov streams than AVStreams, e.g. when
chapters are present.

(cherry picked from commit c92a2a4eb8b883e82871c2415f757153d263b6b3)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavformat/movenc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/movenc.c b/libavformat/movenc.c
index 5d9d3d1bfe..b171c2dc14 100644
--- a/libavformat/movenc.c
+++ b/libavformat/movenc.c
@@ -1215,7 +1215,7 @@ static int mov_write_tkhd_tag(AVIOContext *pb, MOVTrack *track, AVStream *st)
     avio_wb32(pb, 0); /* reserved */
     avio_wb32(pb, 0); /* reserved */
     avio_wb16(pb, 0); /* layer */
-    avio_wb16(pb, st->codec->codec_type); /* alternate group) */
+    avio_wb16(pb, st ? st->codec->codec_type : 0); /* alternate group) */
     /* Volume, only for audio */
     if(track->enc->codec_type == AVMEDIA_TYPE_AUDIO)
         avio_wb16(pb, 0x0100);

From a2443e89d740204c960da0d29c979a9283071a65 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Thu, 28 Jul 2011 14:59:54 +0200
Subject: [PATCH 68/73] Fix memory (re)allocation in matroskadec.c, related to
 MSVR-11-0080.

Whitespace of the patch cleaned up by Aurel
Some of the issues have been reported by Steve Manzuik / Microsoft Vulnerability Research (MSVR)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

(cherry picked from commit 956c901c68eff78288f40e3c8f41ee2fa081d4a8)

Further suggestions from Kostya <kostya.shishkov@gmail.com> have been
implemented by Reinhard Tartler <siretart@tauware.de>

(cherry picked from commit 77d2ef13a8fa630e5081f14bde3fd20f84c90aec)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavformat/matroskadec.c | 37 +++++++++++++++++++++++++++++--------
 1 file changed, 29 insertions(+), 8 deletions(-)

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index f74f76cb8a..59dce4f59f 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -798,11 +798,15 @@ static int ebml_parse_elem(MatroskaDemuxContext *matroska,
     uint32_t id = syntax->id;
     uint64_t length;
     int res;
+    void *newelem;
 
     data = (char *)data + syntax->data_offset;
     if (syntax->list_elem_size) {
         EbmlList *list = data;
-        list->elem = av_realloc(list->elem, (list->nb_elem+1)*syntax->list_elem_size);
+        newelem = av_realloc(list->elem, (list->nb_elem+1)*syntax->list_elem_size);
+        if (!newelem)
+            return AVERROR(ENOMEM);
+        list->elem = newelem;
         data = (char*)list->elem + list->nb_elem*syntax->list_elem_size;
         memset(data, 0, syntax->list_elem_size);
         list->nb_elem++;
@@ -932,6 +936,7 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size,
     uint8_t* data = *buf;
     int isize = *buf_size;
     uint8_t* pkt_data = NULL;
+    uint8_t* newpktdata;
     int pkt_size = isize;
     int result = 0;
     int olen;
@@ -961,7 +966,12 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size,
         zstream.avail_in = isize;
         do {
             pkt_size *= 3;
-            pkt_data = av_realloc(pkt_data, pkt_size);
+            newpktdata = av_realloc(pkt_data, pkt_size);
+            if (!newpktdata) {
+                inflateEnd(&zstream);
+                goto failed;
+            }
+            pkt_data = newpktdata;
             zstream.avail_out = pkt_size - zstream.total_out;
             zstream.next_out = pkt_data + zstream.total_out;
             result = inflate(&zstream, Z_NO_FLUSH);
@@ -982,7 +992,12 @@ static int matroska_decode_buffer(uint8_t** buf, int* buf_size,
         bzstream.avail_in = isize;
         do {
             pkt_size *= 3;
-            pkt_data = av_realloc(pkt_data, pkt_size);
+            newpktdata = av_realloc(pkt_data, pkt_size);
+            if (!newpktdata) {
+                BZ2_bzDecompressEnd(&bzstream);
+                goto failed;
+            }
+            pkt_data = newpktdata;
             bzstream.avail_out = pkt_size - bzstream.total_out_lo32;
             bzstream.next_out = pkt_data + bzstream.total_out_lo32;
             result = BZ2_bzDecompress(&bzstream);
@@ -1037,13 +1052,17 @@ static void matroska_fix_ass_packet(MatroskaDemuxContext *matroska,
     }
 }
 
-static void matroska_merge_packets(AVPacket *out, AVPacket *in)
+static int matroska_merge_packets(AVPacket *out, AVPacket *in)
 {
-    out->data = av_realloc(out->data, out->size+in->size);
+    void *newdata = av_realloc(out->data, out->size+in->size);
+    if (!newdata)
+        return AVERROR(ENOMEM);
+    out->data = newdata;
     memcpy(out->data+out->size, in->data, in->size);
     out->size += in->size;
     av_destruct_packet(in);
     av_free(in);
+    return 0;
 }
 
 static void matroska_convert_tag(AVFormatContext *s, EbmlList *list,
@@ -1568,11 +1587,13 @@ static int matroska_deliver_packet(MatroskaDemuxContext *matroska,
         memcpy(pkt, matroska->packets[0], sizeof(AVPacket));
         av_free(matroska->packets[0]);
         if (matroska->num_packets > 1) {
+            void *newpackets;
             memmove(&matroska->packets[0], &matroska->packets[1],
                     (matroska->num_packets - 1) * sizeof(AVPacket *));
-            matroska->packets =
-                av_realloc(matroska->packets, (matroska->num_packets - 1) *
-                           sizeof(AVPacket *));
+            newpackets = av_realloc(matroska->packets,
+                            (matroska->num_packets - 1) * sizeof(AVPacket *));
+            if (newpackets)
+                matroska->packets = newpackets;
         } else {
             av_freep(&matroska->packets);
         }

From 783f45de4f3ee03a661c7d1479fe1b513bc0a863 Mon Sep 17 00:00:00 2001
From: Mans Rullgard <mans@mansr.com>
Date: Sun, 17 Jul 2011 15:40:05 +0100
Subject: [PATCH 69/73] fate: separate lavf-mxf_d10 test from lavf-mxf

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 0218808d4980b794c78f57931d671508aed500b5)

required to unbreak fate with --disable-avfilter
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 configure                | 2 +-
 tests/lavf-regression.sh | 3 +++
 tests/ref/lavf/mxf       | 3 ---
 tests/ref/lavf/mxf_d10   | 3 +++
 4 files changed, 7 insertions(+), 4 deletions(-)
 create mode 100644 tests/ref/lavf/mxf_d10

diff --git a/configure b/configure
index b6e2ff964b..981b0fdffb 100755
--- a/configure
+++ b/configure
@@ -1576,7 +1576,7 @@ test_deps _muxer _demuxer                                               \
     mmf                                                                 \
     mov                                                                 \
     pcm_mulaw=mulaw                                                     \
-    mxf                                                                 \
+    mxf="mxf mxf_d10"                                                   \
     nut                                                                 \
     ogg                                                                 \
     rawvideo=pixfmt                                                     \
diff --git a/tests/lavf-regression.sh b/tests/lavf-regression.sh
index 39e752b3c6..07dedb2ef2 100755
--- a/tests/lavf-regression.sh
+++ b/tests/lavf-regression.sh
@@ -66,6 +66,9 @@ fi
 
 if [ -n "$do_mxf" ] ; then
 do_lavf mxf "-ar 48000 -bf 2 -timecode_frame_start 264363"
+fi
+
+if [ -n "$do_mxf_d10" ]; then
 do_lavf mxf_d10 "-ar 48000 -ac 2 -r 25 -s 720x576 -vf pad=720:608:0:32 -vcodec mpeg2video -intra -flags +ildct+low_delay -dc 10 -flags2 +ivlc+non_linear_q -qscale 1 -ps 1 -qmin 1 -rc_max_vbv_use 1 -rc_min_vbv_use 1 -pix_fmt yuv422p -minrate 30000k -maxrate 30000k -b 30000k -bufsize 1200000 -top 1 -rc_init_occupancy 1200000 -qmax 12 -f mxf_d10"
 fi
 
diff --git a/tests/ref/lavf/mxf b/tests/ref/lavf/mxf
index d4bbe2f25e..b5aea3c17e 100644
--- a/tests/ref/lavf/mxf
+++ b/tests/ref/lavf/mxf
@@ -1,6 +1,3 @@
 6e9bd63c5cadd7550ad313553ebf665f *./tests/data/lavf/lavf.mxf
 525881 ./tests/data/lavf/lavf.mxf
 ./tests/data/lavf/lavf.mxf CRC=0x4ace0849
-e7168856f2b54c6272685967e707fb21 *./tests/data/lavf/lavf.mxf_d10
-5330989 ./tests/data/lavf/lavf.mxf_d10
-./tests/data/lavf/lavf.mxf_d10 CRC=0xc3f4f92e
diff --git a/tests/ref/lavf/mxf_d10 b/tests/ref/lavf/mxf_d10
new file mode 100644
index 0000000000..f59a99ee0f
--- /dev/null
+++ b/tests/ref/lavf/mxf_d10
@@ -0,0 +1,3 @@
+e7168856f2b54c6272685967e707fb21 *./tests/data/lavf/lavf.mxf_d10
+5330989 ./tests/data/lavf/lavf.mxf_d10
+./tests/data/lavf/lavf.mxf_d10 CRC=0xc3f4f92e

From 9bb7a128a34fb5e4abcd265e5dfcb61787ad2f0f Mon Sep 17 00:00:00 2001
From: Reinhard Tartler <siretart@tauware.de>
Date: Wed, 28 Sep 2011 00:50:08 +0200
Subject: [PATCH 70/73] fate: allow testing with libavfilter disabled

This declares dependencies to skip tests using libavfilter
when it is disabled.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit 908f12f342341785bf0458e88a06d97a1af90339)

Conflicts:
	configure
	tests/Makefile
	tests/fate.mak

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 Makefile       | 7 +++++--
 configure      | 5 ++++-
 tests/fate.mak | 2 +-
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/Makefile b/Makefile
index d6bae7680b..d29872f277 100644
--- a/Makefile
+++ b/Makefile
@@ -252,9 +252,12 @@ FATE_SEEK    = $(SEEK_TESTS:seek_%=fate-seek-%)
 FATE = $(FATE_ACODEC)                                                   \
        $(FATE_VCODEC)                                                   \
        $(FATE_LAVF)                                                     \
-       $(FATE_LAVFI)                                                    \
        $(FATE_SEEK)                                                     \
 
+FATE-$(CONFIG_AVFILTER) += $(FATE_LAVFI)
+
+FATE += $(FATE-yes)
+
 $(filter-out %-aref,$(FATE_ACODEC)): $(AREF)
 $(filter-out %-vref,$(FATE_VCODEC)): $(VREF)
 $(FATE_LAVF):   $(REFS)
@@ -276,7 +279,7 @@ fate-lavfi:  $(FATE_LAVFI)
 fate-seek:   $(FATE_SEEK)
 
 ifdef SAMPLES
-FATE += $(FATE_TESTS)
+FATE += $(FATE_TESTS) $(FATE_TESTS-yes)
 fate-rsync:
 	rsync -vaLW rsync://fate-suite.libav.org/fate-suite/ $(SAMPLES)
 else
diff --git a/configure b/configure
index 981b0fdffb..f4c327439a 100755
--- a/configure
+++ b/configure
@@ -1504,7 +1504,7 @@ test_deps(){
         dep=${v%=*}
         tests=${v#*=}
         for name in ${tests}; do
-            eval ${name}_test_deps="'${dep}$suf1 ${dep}$suf2'"
+            append ${name}_test_deps ${dep}$suf1 ${dep}$suf2
         done
     done
 }
@@ -1514,6 +1514,9 @@ set_ne_test_deps(){
     eval ${1}_le_test_deps="!bigendian"
 }
 
+mxf_d10_test_deps="avfilter"
+seek_lavf_mxf_d10_test_deps="mxf_d10_test"
+
 test_deps _encoder _decoder                                             \
     adpcm_g726=g726                                                     \
     adpcm_ima_qt                                                        \
diff --git a/tests/fate.mak b/tests/fate.mak
index 0e3331178b..cf6c44e8e4 100644
--- a/tests/fate.mak
+++ b/tests/fate.mak
@@ -128,7 +128,7 @@ FATE_TESTS += fate-id-cin-video
 fate-id-cin-video: CMD = framecrc  -i $(SAMPLES)/idcin/idlog-2MB.cin -pix_fmt rgb24
 FATE_TESTS += fate-idroq-video-dpcm
 fate-idroq-video-dpcm: CMD = framecrc  -i $(SAMPLES)/idroq/idlogo.roq
-FATE_TESTS += fate-idroq-video-encode
+FATE_TESTS-$(CONFIG_AVFILTER) += fate-idroq-video-encode
 fate-idroq-video-encode: CMD = md5  -t 0.2 -f image2 -vcodec pgmyuv -i $(SAMPLES)/ffmpeg-synthetic/vsynth1/%02d.pgm -sws_flags +bitexact -vf pad=512:512:80:112 -f RoQ
 FATE_TESTS += fate-iff-byterun1
 fate-iff-byterun1: CMD = framecrc  -i $(SAMPLES)/iff/ASH.LBM -pix_fmt rgb24

From e257eebd17fbb7e880cfdde8a80c089434b6cf1f Mon Sep 17 00:00:00 2001
From: Mans Rullgard <mans@mansr.com>
Date: Sun, 17 Jul 2011 16:02:33 +0100
Subject: [PATCH 71/73] lavf: do not set codec_tag for rawvideo

If the demuxer did not set a codec_tag, there is none and
inventing one makes no sense.  This change stops the rawvideo
"decoder" over-writing user-supplied pixfmt with one derived
from the codec_tag.  The pixfmt-codec_tag-pixfmt round-trip
is lossy since several pixfmts map to the same codec_tag.

This fixes fate-lavf-pixfmt with avfilter disabled.

Signed-off-by: Mans Rullgard <mans@mansr.com>
(cherry picked from commit bb416bd68ca46b4a3f1901533064d56a6b8ac95e)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
---
 libavformat/utils.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/libavformat/utils.c b/libavformat/utils.c
index d9d154e3ab..e3c7d4aa84 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -2405,9 +2405,6 @@ int av_find_stream_info(AVFormatContext *ic)
                      (st->codec_info_nb_frames-2)*(int64_t)st->time_base.den,
                       st->info->codec_info_duration*(int64_t)st->time_base.num, 60000);
         if (st->codec->codec_type == AVMEDIA_TYPE_VIDEO) {
-            if(st->codec->codec_id == CODEC_ID_RAWVIDEO && !st->codec->codec_tag && !st->codec->bits_per_coded_sample)
-                st->codec->codec_tag= avcodec_pix_fmt_to_codec_tag(st->codec->pix_fmt);
-
             // the check for tb_unreliable() is not completely correct, since this is not about handling
             // a unreliable/inexact time base, but a time base that is finer than necessary, as e.g.
             // ipmovie.c produces.

From 35feff418aabd9964509e2c718c65314606545e3 Mon Sep 17 00:00:00 2001
From: Reinhard Tartler <siretart@tauware.de>
Date: Fri, 30 Sep 2011 15:44:19 +0200
Subject: [PATCH 72/73] Update RELEASE file for 0.7.2

---
 RELEASE | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/RELEASE b/RELEASE
index 39e898a4f9..7486fdbc50 100644
--- a/RELEASE
+++ b/RELEASE
@@ -1 +1 @@
-0.7.1
+0.7.2

From 58decdb639e8582063807b5ddfb86dada6731f74 Mon Sep 17 00:00:00 2001
From: Reinhard Tartler <siretart@tauware.de>
Date: Fri, 30 Sep 2011 18:14:12 +0200
Subject: [PATCH 73/73] Update Changelog for 0.7.2 release

---
 Changelog | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/Changelog b/Changelog
index 1598336e55..ab02a02bf5 100644
--- a/Changelog
+++ b/Changelog
@@ -1,6 +1,48 @@
 Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.
 
+version 0.7.2:
+
+- check buffer and input values in various parts of the code:
+  H.264, VC-1, APE, FLV, Indeo 2, XAN, Ogg, MXF, wavpack, ffv1, MOV,
+  cavs (OCERT-2011-002, CVE-2011-3362), Smacker, cpu detection, lavf,
+  Matroska (CVE-2011-3504), RV10, RV30/RV40
+- memory leaks: vf_scale, eval
+
+- ARM: workaround for bug in GNU assembler
+- AVOptions: fix av_set_string3() doxy to match reality. (Bug #28)
+- Reintroduce AVInputStream.nb_streams to avoid crashes
+- aac: Only output configure if audio was found
+- aac: Remove some suspicious illegal memcpy()s from LTP
+- aacps: skip some memcpy() if src and dst would be equal
+- adts: fix PCE copying
+- alsa: fallback to buffer_size/4 for period_size
+- alsa: limit buffer_size to 32768 frames
+- cljr, indeo2: init_get_bits size in bits instead of bytes
+- configure: add missing CFLAGS to fix building on the HURD
+- dca: set AVCodecContext frame_size for DTS audio
+- fate: allow testing with libavfilter disabled
+- gxf: fix 25 fps DV material in GXF being misdetected as 50 fps
+- h264: correct implicit weight table computation for long ref pics
+- h264: correct the check for invalid long term frame index in MMCO decode
+- h264: fix PCM intra-coded blocks in monochrome case
+- jpegdec: actually search for and parse RSTn
+- lavc: fix type for thread_type option
+- lavf: fix context pointer in av_open_input_stream when avformat_open_input fails
+- lavf: do not set codec_tag for rawvideo
+- libx264: do not set pic quality if no frame is output
+- movenc: create an alternate group for each media type
+- mpegts: fix Continuity Counter error detection
+- mxfenc: fix ignored drop flag in binary timecode representation
+- fix crashes in 32-bit PIC builds (cf e.g. http://bugs.debian.org/639948)
+- ppc64: fix cast related random failures
+- riff: Add mpgv MPEG-2 fourcc
+- swscale: don't use planar output functions to write to NV12/21
+- vc1: properly zero coded_block[] edges on new slice entry
+- vp3/theora: flush after seek
+
+- various bug other fixes
+
 
 version 0.7.1:
 
@@ -16,6 +58,7 @@ version 0.7.1:
 - ffmpeg: fix operation with --disable-avfilter
 - fixed integer underflow in matroska decoder
 
+
 version 0.7:
 
 - E-AC-3 audio encoder