Merge commit '68a1df13c460adb6241cfdf96aad953b5d637623' into release/0.10

* commit '68a1df13c460adb6241cfdf96aad953b5d637623':
  smacker: Avoid integer overflow when allocating packets
  smacker: Don't return packets in unallocated streams
  dsicin: Add some basic sanity checks for fields read from the file
  arm: Don't clobber callee saved registers in scalarproduct
  Prepare for 0.8.10 Release
  roqvideodec: check dimensions validity
  qdm2: check array index before use, fix out of array accesses
  alsdec: check block length

Conflicts:
	RELEASE

Merged-by: Michael Niedermayer <michaelni@gmx.at>

5 files changed, 22 insertions, 1 deletions

diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
index e908a05398..1d69c7e39a 100644
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -1386,6 +1386,11 @@ static int read_frame_data(ALSDecContext *ctx, unsigned int ra_frame)
 
         for (b = 0; b < ctx->num_blocks; b++) {
             bd.block_length = div_blocks[b];
+            if (bd.block_length <= 0) {
+                av_log(ctx->avctx, AV_LOG_WARNING,
+                       "Invalid block length %d in channel data!\n", bd.block_length);
+                continue;
+            }
 
             for (c = 0; c < avctx->channels; c++) {
                 bd.const_block = ctx->const_block + c;
diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
index b1bdb536c6..63957a6965 100644
--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -1250,6 +1250,11 @@ static void qdm2_decode_super_block (QDM2Context *q)
     for (i = 0; packet_bytes > 0; i++) {
         int j;
 
+        if (i >= FF_ARRAY_ELEMS(q->sub_packet_list_A)) {
+            SAMPLES_NEEDED_2("too many packet bytes");
+            return;
+        }
+
         q->sub_packet_list_A[i].next = NULL;
 
         if (i > 0) {
diff --git a/libavcodec/roqvideodec.c b/libavcodec/roqvideodec.c
index 20374859f4..735d767141 100644
--- a/libavcodec/roqvideodec.c
+++ b/libavcodec/roqvideodec.c
@@ -173,6 +173,13 @@ static av_cold int roq_decode_init(AVCodecContext *avctx)
     RoqContext *s = avctx->priv_data;
 
     s->avctx = avctx;
+
+    if (avctx->width % 16 || avctx->height % 16) {
+        av_log(avctx, AV_LOG_ERROR,
+               "Dimensions must be a multiple of 16\n");
+        return AVERROR_PATCHWELCOME;
+    }
+
     s->width = avctx->width;
     s->height = avctx->height;
     avcodec_get_frame_defaults(&s->frames[0]);
diff --git a/libavformat/dsicin.c b/libavformat/dsicin.c
index e0db8ba10e..f7ae216a23 100644
--- a/libavformat/dsicin.c
+++ b/libavformat/dsicin.c
@@ -153,6 +153,8 @@ static int cin_read_frame_header(CinDemuxContext *cin, AVIOContext *pb) {
 
     if (avio_rl32(pb) != 0xAA55AA55)
         return AVERROR_INVALIDDATA;
+    if (hdr->video_frame_size < 0 || hdr->audio_frame_size < 0)
+        return AVERROR_INVALIDDATA;
 
     return 0;
 }
diff --git a/libavformat/smacker.c b/libavformat/smacker.c
index 9f8fbf5308..e948c22f01 100644
--- a/libavformat/smacker.c
+++ b/libavformat/smacker.c
@@ -322,7 +322,7 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt)
             }
             flags >>= 1;
         }
-        if (frame_size < 0)
+        if (frame_size < 0 || frame_size >= INT_MAX/2)
             return AVERROR_INVALIDDATA;
         if (av_new_packet(pkt, frame_size + 769))
             return AVERROR(ENOMEM);
@@ -338,6 +338,8 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt)
         smk->cur_frame++;
         smk->nextpos = avio_tell(s->pb);
     } else {
+        if (smk->stream_id[smk->curstream] < 0)
+            return AVERROR_INVALIDDATA;
         if (av_new_packet(pkt, smk->buf_sizes[smk->curstream]))
             return AVERROR(ENOMEM);
         memcpy(pkt->data, smk->bufs[smk->curstream], smk->buf_sizes[smk->curstream]);