From f8b1245922cf4c7692750e9198cf57598f9647d5 Mon Sep 17 00:00:00 2001
From: "Ronald S. Bultje" <rbultje@google.com>
Date: Wed, 27 Apr 2011 15:42:16 -0700
Subject: asfdec: fix parsing of packets that overrun into padding.

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
---
 libavformat/asfdec.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'libavformat')

diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c
index 8e10d68b62..637ceed34a 100644
--- a/libavformat/asfdec.c
+++ b/libavformat/asfdec.c
@@ -853,8 +853,14 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb){
     if (asf->packet_flags & 0x01) {
         DO_2BITS(asf->packet_segsizetype >> 6, asf->packet_frag_size, 0); // 0 is illegal
         if(asf->packet_frag_size > asf->packet_size_left - rsize){
-            av_log(s, AV_LOG_ERROR, "packet_frag_size is invalid\n");
-            return -1;
+            if (asf->packet_frag_size > asf->packet_size_left - rsize + asf->packet_padsize) {
+                av_log(s, AV_LOG_ERROR, "packet_frag_size is invalid (%d-%d)\n", asf->packet_size_left, rsize);
+                return -1;
+            } else {
+                int diff = asf->packet_frag_size - (asf->packet_size_left - rsize);
+                asf->packet_size_left += diff;
+                asf->packet_padsize   -= diff;
+            }
         }
         //printf("Fragsize %d\n", asf->packet_frag_size);
     } else {
-- 
cgit v1.2.3


From 25588d3b8a556eb5d0d3239d8c6aee968ea18896 Mon Sep 17 00:00:00 2001
From: "Ronald S. Bultje" <rsbultje@gmail.com>
Date: Wed, 27 Apr 2011 08:29:02 -0700
Subject: nutenc: don't av_malloc(0).

---
 libavformat/nutenc.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'libavformat')

diff --git a/libavformat/nutenc.c b/libavformat/nutenc.c
index df5dc6fdf7..4ca761ab40 100644
--- a/libavformat/nutenc.c
+++ b/libavformat/nutenc.c
@@ -584,7 +584,8 @@ static int write_header(AVFormatContext *s){
     nut->avf= s;
 
     nut->stream   = av_mallocz(sizeof(StreamContext)*s->nb_streams);
-    nut->chapter  = av_mallocz(sizeof(ChapterContext)*s->nb_chapters);
+    if (s->nb_chapters)
+        nut->chapter  = av_mallocz(sizeof(ChapterContext)*s->nb_chapters);
     nut->time_base= av_mallocz(sizeof(AVRational   )*(s->nb_streams +
                                                       s->nb_chapters));
 
-- 
cgit v1.2.3


From 76432655056b9c1477ade550e4b6d277556eb6b2 Mon Sep 17 00:00:00 2001
From: "Ronald S. Bultje" <rsbultje@gmail.com>
Date: Tue, 3 May 2011 08:19:42 -0400
Subject: nutenc: check malloc return values.

---
 libavformat/nutenc.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'libavformat')

diff --git a/libavformat/nutenc.c b/libavformat/nutenc.c
index 4ca761ab40..85340b158e 100644
--- a/libavformat/nutenc.c
+++ b/libavformat/nutenc.c
@@ -588,6 +588,12 @@ static int write_header(AVFormatContext *s){
         nut->chapter  = av_mallocz(sizeof(ChapterContext)*s->nb_chapters);
     nut->time_base= av_mallocz(sizeof(AVRational   )*(s->nb_streams +
                                                       s->nb_chapters));
+    if (!nut->stream || (s->nb_chapters && !nut->chapter) || !nut->time_base) {
+        av_freep(&nut->stream);
+        av_freep(&nut->chapter);
+        av_freep(&nut->time_base);
+        return AVERROR(ENOMEM);
+    }
 
     for(i=0; i<s->nb_streams; i++){
         AVStream *st= s->streams[i];
-- 
cgit v1.2.3


From 0bd433a916cd8d98fce47742fbf6d0f90ec941c4 Mon Sep 17 00:00:00 2001
From: Uoti Urpala <uoti.urpala.pp1.inet.fi>
Date: Sun, 24 Apr 2011 07:21:30 +0300
Subject: asfdec: fix assert failure on invalid files

Add an extra size validity check in asf_read_frame_header(). Without
this asf->packet_size_left may become negative, which triggers an
assertion failure later.

Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
---
 libavformat/asfdec.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'libavformat')

diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c
index 637ceed34a..77c84490a0 100644
--- a/libavformat/asfdec.c
+++ b/libavformat/asfdec.c
@@ -864,6 +864,10 @@ static int asf_read_frame_header(AVFormatContext *s, AVIOContext *pb){
         }
         //printf("Fragsize %d\n", asf->packet_frag_size);
     } else {
+        if (rsize > asf->packet_size_left) {
+            av_log(s, AV_LOG_ERROR, "packet_replic_size is invalid\n");
+            return -1;
+        }
         asf->packet_frag_size = asf->packet_size_left - rsize;
         //printf("Using rest  %d %d %d\n", asf->packet_frag_size, asf->packet_size_left, rsize);
     }
-- 
cgit v1.2.3


From 1a5e4fd8c5b99478b4e08a69261930bb12aa948b Mon Sep 17 00:00:00 2001
From: Alex Converse <aconverse@google.com>
Date: Tue, 3 May 2011 11:19:31 -0700
Subject: Replace strncpy() with av_strlcpy().

---
 ffmpeg.c                  |  3 +--
 libavcodec/ac3enc.c       | 43 ++++++++++++++++++++++---------------------
 libavcodec/ass.c          |  4 ++--
 libavformat/movenc.c      |  2 +-
 libavformat/mp3enc.c      |  3 ++-
 libavutil/log.c           |  3 ++-
 libpostproc/postprocess.c |  3 ++-
 7 files changed, 32 insertions(+), 29 deletions(-)

(limited to 'libavformat')

diff --git a/ffmpeg.c b/ffmpeg.c
index d728f140f0..c5868110f2 100644
--- a/ffmpeg.c
+++ b/ffmpeg.c
@@ -3695,8 +3695,7 @@ static int opt_streamid(const char *opt, const char *arg)
     char *p;
     char idx_str[16];
 
-    strncpy(idx_str, arg, sizeof(idx_str));
-    idx_str[sizeof(idx_str)-1] = '\0';
+    av_strlcpy(idx_str, arg, sizeof(idx_str));
     p = strchr(idx_str, ':');
     if (!p) {
         fprintf(stderr,
diff --git a/libavcodec/ac3enc.c b/libavcodec/ac3enc.c
index bf106eb22a..a35ff29d1a 100644
--- a/libavcodec/ac3enc.c
+++ b/libavcodec/ac3enc.c
@@ -33,6 +33,7 @@
 
 #include "libavutil/audioconvert.h"
 #include "libavutil/avassert.h"
+#include "libavutil/avstring.h"
 #include "libavutil/crc.h"
 #include "libavutil/opt.h"
 #include "avcodec.h"
@@ -1578,10 +1579,10 @@ static void dprint_options(AVCodecContext *avctx)
     char strbuf[32];
 
     switch (s->bitstream_id) {
-    case  6:  strncpy(strbuf, "AC-3 (alt syntax)", 32);      break;
-    case  8:  strncpy(strbuf, "AC-3 (standard)", 32);        break;
-    case  9:  strncpy(strbuf, "AC-3 (dnet half-rate)", 32);  break;
-    case 10:  strncpy(strbuf, "AC-3 (dnet quater-rate", 32); break;
+    case  6:  av_strlcpy(strbuf, "AC-3 (alt syntax)", 32);      break;
+    case  8:  av_strlcpy(strbuf, "AC-3 (standard)", 32);        break;
+    case  9:  av_strlcpy(strbuf, "AC-3 (dnet half-rate)", 32);  break;
+    case 10:  av_strlcpy(strbuf, "AC-3 (dnet quater-rate", 32); break;
     default: snprintf(strbuf, 32, "ERROR");
     }
     av_dlog(avctx, "bitstream_id: %s (%d)\n", strbuf, s->bitstream_id);
@@ -1608,9 +1609,9 @@ static void dprint_options(AVCodecContext *avctx)
     if (opt->audio_production_info) {
         av_dlog(avctx, "mixing_level: %ddB\n", opt->mixing_level);
         switch (opt->room_type) {
-        case 0:  strncpy(strbuf, "notindicated", 32); break;
-        case 1:  strncpy(strbuf, "large", 32);        break;
-        case 2:  strncpy(strbuf, "small", 32);        break;
+        case 0:  av_strlcpy(strbuf, "notindicated", 32); break;
+        case 1:  av_strlcpy(strbuf, "large", 32);        break;
+        case 2:  av_strlcpy(strbuf, "small", 32);        break;
         default: snprintf(strbuf, 32, "ERROR (%d)", opt->room_type);
         }
         av_dlog(avctx, "room_type: %s\n", strbuf);
@@ -1622,9 +1623,9 @@ static void dprint_options(AVCodecContext *avctx)
     av_dlog(avctx, "dialnorm: %ddB\n", opt->dialogue_level);
     if (s->channel_mode == AC3_CHMODE_STEREO) {
         switch (opt->dolby_surround_mode) {
-        case 0:  strncpy(strbuf, "notindicated", 32); break;
-        case 1:  strncpy(strbuf, "on", 32);           break;
-        case 2:  strncpy(strbuf, "off", 32);          break;
+        case 0:  av_strlcpy(strbuf, "notindicated", 32); break;
+        case 1:  av_strlcpy(strbuf, "on", 32);           break;
+        case 2:  av_strlcpy(strbuf, "off", 32);          break;
         default: snprintf(strbuf, 32, "ERROR (%d)", opt->dolby_surround_mode);
         }
         av_dlog(avctx, "dsur_mode: %s\n", strbuf);
@@ -1636,9 +1637,9 @@ static void dprint_options(AVCodecContext *avctx)
     if (s->bitstream_id == 6) {
         if (opt->extended_bsi_1) {
             switch (opt->preferred_stereo_downmix) {
-            case 0:  strncpy(strbuf, "notindicated", 32); break;
-            case 1:  strncpy(strbuf, "ltrt", 32);         break;
-            case 2:  strncpy(strbuf, "loro", 32);         break;
+            case 0:  av_strlcpy(strbuf, "notindicated", 32); break;
+            case 1:  av_strlcpy(strbuf, "ltrt", 32);         break;
+            case 2:  av_strlcpy(strbuf, "loro", 32);         break;
             default: snprintf(strbuf, 32, "ERROR (%d)", opt->preferred_stereo_downmix);
             }
             av_dlog(avctx, "dmix_mode: %s\n", strbuf);
@@ -1655,23 +1656,23 @@ static void dprint_options(AVCodecContext *avctx)
         }
         if (opt->extended_bsi_2) {
             switch (opt->dolby_surround_ex_mode) {
-            case 0:  strncpy(strbuf, "notindicated", 32); break;
-            case 1:  strncpy(strbuf, "on", 32);           break;
-            case 2:  strncpy(strbuf, "off", 32);          break;
+            case 0:  av_strlcpy(strbuf, "notindicated", 32); break;
+            case 1:  av_strlcpy(strbuf, "on", 32);           break;
+            case 2:  av_strlcpy(strbuf, "off", 32);          break;
             default: snprintf(strbuf, 32, "ERROR (%d)", opt->dolby_surround_ex_mode);
             }
             av_dlog(avctx, "dsurex_mode: %s\n", strbuf);
             switch (opt->dolby_headphone_mode) {
-            case 0:  strncpy(strbuf, "notindicated", 32); break;
-            case 1:  strncpy(strbuf, "on", 32);           break;
-            case 2:  strncpy(strbuf, "off", 32);          break;
+            case 0:  av_strlcpy(strbuf, "notindicated", 32); break;
+            case 1:  av_strlcpy(strbuf, "on", 32);           break;
+            case 2:  av_strlcpy(strbuf, "off", 32);          break;
             default: snprintf(strbuf, 32, "ERROR (%d)", opt->dolby_headphone_mode);
             }
             av_dlog(avctx, "dheadphone_mode: %s\n", strbuf);
 
             switch (opt->ad_converter_type) {
-            case 0:  strncpy(strbuf, "standard", 32); break;
-            case 1:  strncpy(strbuf, "hdcd", 32);     break;
+            case 0:  av_strlcpy(strbuf, "standard", 32); break;
+            case 1:  av_strlcpy(strbuf, "hdcd", 32);     break;
             default: snprintf(strbuf, 32, "ERROR (%d)", opt->ad_converter_type);
             }
             av_dlog(avctx, "ad_conv_type: %s\n", strbuf);
diff --git a/libavcodec/ass.c b/libavcodec/ass.c
index beb1ba1141..327a77bb45 100644
--- a/libavcodec/ass.c
+++ b/libavcodec/ass.c
@@ -21,6 +21,7 @@
 
 #include "avcodec.h"
 #include "ass.h"
+#include "libavutil/avstring.h"
 
 /**
  * Generate a suitable AVCodecContext.subtitle_header for SUBTITLE_ASS.
@@ -117,8 +118,7 @@ int ff_ass_add_rect(AVSubtitle *sub, const char *dialog,
     rects[sub->num_rects]->type = SUBTITLE_ASS;
     rects[sub->num_rects]->ass  = av_malloc(len + dlen + 1);
     strcpy (rects[sub->num_rects]->ass      , header);
-    strncpy(rects[sub->num_rects]->ass + len, dialog, dlen);
-    rects[sub->num_rects]->ass[len+dlen] = 0;
+    av_strlcpy(rects[sub->num_rects]->ass + len, dialog, dlen + 1);
     sub->num_rects++;
     return dlen;
 }
diff --git a/libavformat/movenc.c b/libavformat/movenc.c
index 0458844fc3..0327bdf797 100644
--- a/libavformat/movenc.c
+++ b/libavformat/movenc.c
@@ -827,7 +827,7 @@ static int mov_write_video_tag(AVIOContext *pb, MOVTrack *track)
     memset(compressor_name,0,32);
     /* FIXME not sure, ISO 14496-1 draft where it shall be set to 0 */
     if (track->mode == MODE_MOV && track->enc->codec && track->enc->codec->name)
-        strncpy(compressor_name,track->enc->codec->name,31);
+        av_strlcpy(compressor_name,track->enc->codec->name,32);
     avio_w8(pb, strlen(compressor_name));
     avio_write(pb, compressor_name, 31);
 
diff --git a/libavformat/mp3enc.c b/libavformat/mp3enc.c
index d46e67b70c..10abe0994c 100644
--- a/libavformat/mp3enc.c
+++ b/libavformat/mp3enc.c
@@ -24,6 +24,7 @@
 #include "id3v1.h"
 #include "id3v2.h"
 #include "rawenc.h"
+#include "libavutil/avstring.h"
 #include "libavutil/intreadwrite.h"
 #include "libavutil/opt.h"
 
@@ -32,7 +33,7 @@ static int id3v1_set_string(AVFormatContext *s, const char *key,
 {
     AVMetadataTag *tag;
     if ((tag = av_metadata_get(s->metadata, key, NULL, 0)))
-        strncpy(buf, tag->value, buf_size);
+        av_strlcpy(buf, tag->value, buf_size);
     return !!tag;
 }
 
diff --git a/libavutil/log.c b/libavutil/log.c
index cfeb21cd5a..ddfd31f6c3 100644
--- a/libavutil/log.c
+++ b/libavutil/log.c
@@ -26,6 +26,7 @@
 
 #include <unistd.h>
 #include <stdlib.h>
+#include "avstring.h"
 #include "avutil.h"
 #include "log.h"
 
@@ -120,7 +121,7 @@ void av_log_default_callback(void* ptr, int level, const char* fmt, va_list vl)
         count=0;
     }
     colored_fputs(av_clip(level>>3, 0, 6), line);
-    strncpy(prev, line, sizeof line);
+    av_strlcpy(prev, line, sizeof line);
 }
 
 static void (*av_log_callback)(void*, int, const char*, va_list) = av_log_default_callback;
diff --git a/libpostproc/postprocess.c b/libpostproc/postprocess.c
index d7c99e29da..4864b02198 100644
--- a/libpostproc/postprocess.c
+++ b/libpostproc/postprocess.c
@@ -86,6 +86,7 @@ try to unroll inner for(x=0 ... loop to avoid these damn if(x ... checks
 //#define DEBUG_BRIGHTNESS
 #include "postprocess.h"
 #include "postprocess_internal.h"
+#include "libavutil/avstring.h"
 
 unsigned postproc_version(void)
 {
@@ -762,7 +763,7 @@ pp_mode *pp_get_mode_by_name_and_quality(const char *name, int quality)
     ppMode->maxClippedThreshold= 0.01;
     ppMode->error=0;
 
-    strncpy(temp, name, GET_MODE_BUFFER_SIZE);
+    av_strlcpy(temp, name, GET_MODE_BUFFER_SIZE);
 
     av_log(NULL, AV_LOG_DEBUG, "pp: %s\n", name);
 
-- 
cgit v1.2.3


From eddd580b743692bc930692cb0c5a3e930ab45ad4 Mon Sep 17 00:00:00 2001
From: Mans Rullgard <mans@mansr.com>
Date: Wed, 4 May 2011 17:57:37 +0100
Subject: matroskaenc: fix memory leak

This fixes a memory leak occurring when no cue points are defined
since commit 91819763.

Signed-off-by: Mans Rullgard <mans@mansr.com>
---
 libavformat/matroskaenc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'libavformat')

diff --git a/libavformat/matroskaenc.c b/libavformat/matroskaenc.c
index c0427f9854..781121a68f 100644
--- a/libavformat/matroskaenc.c
+++ b/libavformat/matroskaenc.c
@@ -403,8 +403,6 @@ static int64_t mkv_write_cues(AVIOContext *pb, mkv_cues *cues, int num_tracks)
     }
     end_ebml_master(pb, cues_element);
 
-    av_free(cues->entries);
-    av_free(cues);
     return currentpos;
 }
 
@@ -1160,6 +1158,8 @@ static int mkv_write_trailer(AVFormatContext *s)
 
     end_ebml_master(pb, mkv->segment);
     av_free(mkv->tracks);
+    av_freep(&mkv->cues->entries);
+    av_freep(&mkv->cues);
     av_destruct_packet(&mkv->cur_audio_pkt);
     avio_flush(pb);
     return 0;
-- 
cgit v1.2.3


From 61165a1bba939e520d01b5f029100fd700b51f2f Mon Sep 17 00:00:00 2001
From: Diego Biurrun <diego@biurrun.de>
Date: Wed, 4 May 2011 18:47:07 +0200
Subject: Fix standalone compilation of WTV demuxer.

---
 libavcodec/Makefile  | 1 +
 libavformat/Makefile | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

(limited to 'libavformat')

diff --git a/libavcodec/Makefile b/libavcodec/Makefile
index 7434157e8f..1d8452ac03 100644
--- a/libavcodec/Makefile
+++ b/libavcodec/Makefile
@@ -546,6 +546,7 @@ OBJS-$(CONFIG_SPDIF_DEMUXER)           += aacadtsdec.o mpeg4audio.o
 OBJS-$(CONFIG_WEBM_MUXER)              += xiph.o mpeg4audio.o \
                                           flacdec.o flacdata.o flac.o \
                                           mpegaudiodata.o
+OBJS-$(CONFIG_WTV_DEMUXER)             += mpeg4audio.o mpegaudiodata.o
 
 # external codec libraries
 OBJS-$(CONFIG_LIBDIRAC_DECODER)           += libdiracdec.o
diff --git a/libavformat/Makefile b/libavformat/Makefile
index e2e3982125..ba978af7a4 100644
--- a/libavformat/Makefile
+++ b/libavformat/Makefile
@@ -295,7 +295,8 @@ OBJS-$(CONFIG_WEBM_MUXER)                += matroskaenc.o matroska.o \
                                             flacenc_header.o avlanguage.o
 OBJS-$(CONFIG_WSAUD_DEMUXER)             += westwood.o
 OBJS-$(CONFIG_WSVQA_DEMUXER)             += westwood.o
-OBJS-$(CONFIG_WTV_DEMUXER)               += wtv.o asf.o asfdec.o mpegts.o riff.o
+OBJS-$(CONFIG_WTV_DEMUXER)               += wtv.o asfdec.o asf.o asfcrypt.o \
+                                            avlanguage.o mpegts.o isom.o riff.o
 OBJS-$(CONFIG_WV_DEMUXER)                += wv.o apetag.o
 OBJS-$(CONFIG_XA_DEMUXER)                += xa.o
 OBJS-$(CONFIG_XWMA_DEMUXER)              += xwma.o riff.o
-- 
cgit v1.2.3


From 8799541a0a7bd84c04a2fac73bf819aaf53fc302 Mon Sep 17 00:00:00 2001
From: Diego Biurrun <diego@biurrun.de>
Date: Wed, 4 May 2011 19:20:03 +0200
Subject: Fix standalone compilation of pipe protocol.

file_check() is not only used by the file protocol, adjust #ifdef accordingly.
---
 libavformat/file.c | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

(limited to 'libavformat')

diff --git a/libavformat/file.c b/libavformat/file.c
index 6a3ed5acb0..649640a927 100644
--- a/libavformat/file.c
+++ b/libavformat/file.c
@@ -51,6 +51,19 @@ static int file_get_handle(URLContext *h)
     return (intptr_t) h->priv_data;
 }
 
+static int file_check(URLContext *h, int mask)
+{
+    struct stat st;
+    int ret = stat(h->filename, &st);
+    if (ret < 0)
+        return AVERROR(errno);
+
+    ret |= st.st_mode&S_IRUSR ? mask&AVIO_FLAG_READ  : 0;
+    ret |= st.st_mode&S_IWUSR ? mask&AVIO_FLAG_WRITE : 0;
+
+    return ret;
+}
+
 #if CONFIG_FILE_PROTOCOL
 
 static int file_open(URLContext *h, const char *filename, int flags)
@@ -95,19 +108,6 @@ static int file_close(URLContext *h)
     return close(fd);
 }
 
-static int file_check(URLContext *h, int mask)
-{
-    struct stat st;
-    int ret = stat(h->filename, &st);
-    if (ret < 0)
-        return AVERROR(errno);
-
-    ret |= st.st_mode&S_IRUSR ? mask&AVIO_FLAG_READ  : 0;
-    ret |= st.st_mode&S_IWUSR ? mask&AVIO_FLAG_WRITE : 0;
-
-    return ret;
-}
-
 URLProtocol ff_file_protocol = {
     .name                = "file",
     .url_open            = file_open,
-- 
cgit v1.2.3