Merge commit '979f77b0dc40571761999633a38d97be9a1670c8' into release/0.10

* commit '979f77b0dc40571761999633a38d97be9a1670c8':
  h264: check that an IDR NAL only contains I slices
  mov: Free an earlier allocated array if allocating a new one
  segafilm: fix leaks if reading the header fails
  h264_cavlc: check the size of the intra PCM data.
  cavs: Check for negative cbp
  avi: DV in AVI must be considered single stream
  avutil: use align == 0 for default alignment in audio sample buffer functions

Conflicts:
	libavcodec/cavsdec.c
	libavutil/avutil.h

Merged-by: Michael Niedermayer <michaelni@gmx.at>

8 files changed, 50 insertions, 24 deletions

diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
index 221ead6d18..a23deb234b 100644
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -166,8 +166,8 @@ static inline int decode_residual_inter(AVSContext *h) {
 
     /* get coded block pattern */
     int cbp= get_ue_golomb(&h->s.gb);
-    if(cbp > 63U){
-        av_log(h->s.avctx, AV_LOG_ERROR, "illegal inter cbp\n");
+    if(cbp > 63 || cbp < 0){
+        av_log(h->s.avctx, AV_LOG_ERROR, "illegal inter cbp %d\n", cbp);
         return -1;
     }
     h->cbp = cbp_tab[cbp][1];
@@ -226,7 +226,7 @@ static int decode_mb_i(AVSContext *h, int cbp_code) {
     /* get coded block pattern */
     if(h->pic_type == AV_PICTURE_TYPE_I)
         cbp_code = get_ue_golomb(gb);
-    if(cbp_code > 63U){
+    if(cbp_code > 63 || cbp_code < 0 ){
         av_log(h->s.avctx, AV_LOG_ERROR, "illegal intra cbp\n");
         return -1;
     }
diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index 1fa1f19e35..9a0b07f0b0 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -2672,7 +2672,14 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
     h->slice_type= slice_type;
     h->slice_type_nos= slice_type & 3;
 
-    s->pict_type= h->slice_type; // to make a few old functions happy, it's wrong though
+    if (h->nal_unit_type  == NAL_IDR_SLICE &&
+        h->slice_type_nos != AV_PICTURE_TYPE_I) {
+        av_log(h->s.avctx, AV_LOG_ERROR, "A non-intra slice in an IDR NAL unit.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
+    // to make a few old functions happy, it's wrong though
+    s->pict_type = h->slice_type;
 
     pps_id= get_ue_golomb(&s->gb);
     if(pps_id>=MAX_PPS_COUNT){
diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c
index 96c421bd14..e43b937a8f 100644
--- a/libavcodec/h264_cavlc.c
+++ b/libavcodec/h264_cavlc.c
@@ -770,6 +770,10 @@ decode_intra_mb:
 
         // We assume these blocks are very rare so we do not optimize it.
         align_get_bits(&s->gb);
+        if (get_bits_left(&s->gb) < mb_size) {
+            av_log(s->avctx, AV_LOG_ERROR, "Not enough data for an intra PCM block.\n");
+            return AVERROR_INVALIDDATA;
+        }
 
         // The pixels are stored in the same order as levels in h->mb array.
         for(x=0; x < mb_size; x++){
diff --git a/libavformat/avidec.c b/libavformat/avidec.c
index 5a8d5a7741..0b43f09b3e 100644
--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
@@ -940,7 +940,7 @@ start_sync:
             goto start_sync;
         }
 
-        n= get_stream_idx(d);
+        n = avi->dv_demux ? 0 : get_stream_idx(d);
 
         if(!((i-avi->last_pkt_pos)&1) && get_stream_idx(d+1) < s->nb_streams)
             continue;
@@ -1394,12 +1394,17 @@ static int avi_read_seek(AVFormatContext *s, int stream_index, int64_t timestamp
     int64_t pos, pos_min;
     AVIStream *ast;
 
+    /* Does not matter which stream is requested dv in avi has the
+     * stream information in the first video stream.
+     */
+    if (avi->dv_demux)
+        stream_index = 0;
+
     if (!avi->index_loaded) {
         /* we only load the index on demand */
         avi_load_index(s);
         avi->index_loaded |= 1;
     }
-    assert(stream_index>= 0);
 
     st = s->streams[stream_index];
     ast= st->priv_data;
@@ -1417,7 +1422,6 @@ static int avi_read_seek(AVFormatContext *s, int stream_index, int64_t timestamp
         /* One and only one real stream for DV in AVI, and it has video  */
         /* offsets. Calling with other stream indexes should have failed */
         /* the av_index_search_timestamp call above.                     */
-        assert(stream_index == 0);
 
         if(avio_seek(s->pb, pos, SEEK_SET) < 0)
             return -1;
diff --git a/libavformat/mov.c b/libavformat/mov.c
index 4cb456744f..797705b0d9 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -1694,6 +1694,7 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom)
     if (entries >= UINT_MAX / sizeof(*sc->stts_data))
         return -1;
 
+    av_free(sc->stts_data);
     sc->stts_data = av_malloc(entries * sizeof(*sc->stts_data));
     if (!sc->stts_data)
         return AVERROR(ENOMEM);
diff --git a/libavformat/segafilm.c b/libavformat/segafilm.c
index 194a3b60bc..c12cd770d3 100644
--- a/libavformat/segafilm.c
+++ b/libavformat/segafilm.c
@@ -76,6 +76,16 @@ static int film_probe(AVProbeData *p)
     return AVPROBE_SCORE_MAX;
 }
 
+static int film_read_close(AVFormatContext *s)
+{
+    FilmDemuxContext *film = s->priv_data;
+
+    av_freep(&film->sample_table);
+    av_freep(&film->stereo_buffer);
+
+    return 0;
+}
+
 static int film_read_header(AVFormatContext *s,
                             AVFormatParameters *ap)
 {
@@ -83,7 +93,7 @@ static int film_read_header(AVFormatContext *s,
     AVIOContext *pb = s->pb;
     AVStream *st;
     unsigned char scratch[256];
-    int i;
+    int i, ret;
     unsigned int data_offset;
     unsigned int audio_frame_counter;
 
@@ -210,14 +220,16 @@ static int film_read_header(AVFormatContext *s,
     for (i = 0; i < film->sample_count; i++) {
         /* load the next sample record and transfer it to an internal struct */
         if (avio_read(pb, scratch, 16) != 16) {
-            av_free(film->sample_table);
-            return AVERROR(EIO);
+            ret = AVERROR(EIO);
+            goto fail;
         }
         film->sample_table[i].sample_offset =
             data_offset + AV_RB32(&scratch[0]);
         film->sample_table[i].sample_size = AV_RB32(&scratch[4]);
-        if (film->sample_table[i].sample_size > INT_MAX / 4)
-            return AVERROR_INVALIDDATA;
+        if (film->sample_table[i].sample_size > INT_MAX / 4) {
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
+        }
         if (AV_RB32(&scratch[8]) == 0xFFFFFFFF) {
             film->sample_table[i].stream = film->audio_stream_index;
             film->sample_table[i].pts = audio_frame_counter;
@@ -240,6 +252,9 @@ static int film_read_header(AVFormatContext *s,
     film->current_sample = 0;
 
     return 0;
+fail:
+    film_read_close(s);
+    return ret;
 }
 
 static int film_read_packet(AVFormatContext *s,
@@ -320,16 +335,6 @@ static int film_read_packet(AVFormatContext *s,
     return ret;
 }
 
-static int film_read_close(AVFormatContext *s)
-{
-    FilmDemuxContext *film = s->priv_data;
-
-    av_free(film->sample_table);
-    av_free(film->stereo_buffer);
-
-    return 0;
-}
-
 AVInputFormat ff_segafilm_demuxer = {
     .name           = "film_cpk",
     .long_name      = NULL_IF_CONFIG_SMALL("Sega FILM/CPK format"),
diff --git a/libavutil/samplefmt.c b/libavutil/samplefmt.c
index f4300036c2..1e4e56fd0a 100644
--- a/libavutil/samplefmt.c
+++ b/libavutil/samplefmt.c
@@ -114,6 +114,10 @@ int av_samples_get_buffer_size(int *linesize, int nb_channels, int nb_samples,
     if (!sample_size || nb_samples <= 0 || nb_channels <= 0)
         return AVERROR(EINVAL);
 
+    /* auto-select alignment if not specified */
+    if (!align)
+        align = 32;
+
     /* check for integer overflow */
     if (nb_channels > INT_MAX / align ||
         (int64_t)nb_channels * nb_samples > (INT_MAX - (align * nb_channels)) / sample_size)
diff --git a/libavutil/samplefmt.h b/libavutil/samplefmt.h
index 855cffd838..fc25d828eb 100644
--- a/libavutil/samplefmt.h
+++ b/libavutil/samplefmt.h
@@ -107,6 +107,7 @@ int av_sample_fmt_is_planar(enum AVSampleFormat sample_fmt);
  * @param nb_channels   the number of channels
  * @param nb_samples    the number of samples in a single channel
  * @param sample_fmt    the sample format
+ * @param align         buffer size alignment (0 = default, 1 = no alignment)
  * @return              required buffer size, or negative error code on failure
  */
 int av_samples_get_buffer_size(int *linesize, int nb_channels, int nb_samples,
@@ -130,7 +131,7 @@ int av_samples_get_buffer_size(int *linesize, int nb_channels, int nb_samples,
  * @param nb_channels      the number of channels
  * @param nb_samples       the number of samples in a single channel
  * @param sample_fmt       the sample format
- * @param align            buffer size alignment (1 = no alignment required)
+ * @param align            buffer size alignment (0 = default, 1 = no alignment)
  * @return                 0 on success or a negative error code on failure
  */
 int av_samples_fill_arrays(uint8_t **audio_data, int *linesize, uint8_t *buf,
@@ -146,7 +147,7 @@ int av_samples_fill_arrays(uint8_t **audio_data, int *linesize, uint8_t *buf,
  * @param[out] linesize    aligned size for audio buffer(s)
  * @param nb_channels      number of audio channels
  * @param nb_samples       number of samples per channel
- * @param align            buffer size alignment (1 = no alignment required)
+ * @param align            buffer size alignment (0 = default, 1 = no alignment)
  * @return                 0 on success or a negative error code on failure
  * @see av_samples_fill_arrays()
  */