Merge commit '04d2f9ace3fb6e880f3488770fc5a39de5b63cbb' into release/1.1

* commit '04d2f9ace3fb6e880f3488770fc5a39de5b63cbb':
  mvi: Add sanity checking for the audio frame size
  alac: Do bounds checking of lpc_order read from the bitstream
  xwma: Avoid division by zero
  avidec: Make sure a packet is large enough before reading its data
  vqf: Make sure the bitrate is in the valid range
  vqf: Make sure sample_rate is set to a valid value
  electronicarts: Check packet sizes before reading
  lavf: Avoid setting avg_frame_rate if delta_dts is negative
  vc1dec: Undo mpegvideo initialization if unable to allocate tables
  vc1dec: Fix leaks in ff_vc1_decode_init_alloc_tables on errors
  wnv1: Make sure the input packet is large enough
  dcadec: Validate the lfe parameter

Conflicts:
	libavcodec/dcadec.c
	libavcodec/wnv1.c
	libavformat/avidec.c
	libavformat/electronicarts.c
	libavformat/utils.c
	libavformat/xwma.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>

10 files changed, 61 insertions, 17 deletions

diff --git a/libavcodec/alac.c b/libavcodec/alac.c
index 072cac3245..48b0b991cf 100644
--- a/libavcodec/alac.c
+++ b/libavcodec/alac.c
@@ -321,6 +321,9 @@ static int decode_element(AVCodecContext *avctx, void *data, int ch_index,
             rice_history_mult[ch] = get_bits(&alac->gb, 3);
             lpc_order[ch]         = get_bits(&alac->gb, 5);
 
+            if (lpc_order[ch] >= alac->max_samples_per_frame)
+                return AVERROR_INVALIDDATA;
+
             /* read the predictor table */
             for (i = lpc_order[ch] - 1; i >= 0; i--)
                 lpc_coefs[ch][i] = get_sbits(&alac->gb, 16);
diff --git a/libavcodec/dcadec.c b/libavcodec/dcadec.c
index ea5b230797..b768a9a304 100644
--- a/libavcodec/dcadec.c
+++ b/libavcodec/dcadec.c
@@ -738,10 +738,10 @@ static int dca_parse_frame_header(DCAContext *s)
     s->lfe               = get_bits(&s->gb, 2);
     s->predictor_history = get_bits(&s->gb, 1);
 
-    if (s->lfe == 3) {
+    if (s->lfe > 2) {
         s->lfe = 0;
-        av_log_ask_for_sample(s->avctx, "LFE is 3\n");
-        return AVERROR_PATCHWELCOME;
+        av_log(s->avctx, AV_LOG_ERROR, "Invalid LFE value: %d\n", s->lfe);
+        return AVERROR_INVALIDDATA;
     }
 
     /* TODO: check CRC */
diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c
index 883beaf429..f604c2937f 100644
--- a/libavcodec/vc1dec.c
+++ b/libavcodec/vc1dec.c
@@ -5141,8 +5141,19 @@ av_cold int ff_vc1_decode_init_alloc_tables(VC1Context *v)
 
     if (!v->mv_type_mb_plane || !v->direct_mb_plane || !v->acpred_plane || !v->over_flags_plane ||
         !v->block || !v->cbp_base || !v->ttblk_base || !v->is_intra_base || !v->luma_mv_base ||
-        !v->mb_type_base)
-            return -1;
+        !v->mb_type_base) {
+        av_freep(&v->mv_type_mb_plane);
+        av_freep(&v->direct_mb_plane);
+        av_freep(&v->acpred_plane);
+        av_freep(&v->over_flags_plane);
+        av_freep(&v->block);
+        av_freep(&v->cbp_base);
+        av_freep(&v->ttblk_base);
+        av_freep(&v->is_intra_base);
+        av_freep(&v->luma_mv_base);
+        av_freep(&v->mb_type_base);
+        return AVERROR(ENOMEM);
+    }
 
     return 0;
 }
@@ -5514,8 +5525,12 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data,
     }
 
     if (!s->context_initialized) {
-        if (ff_msmpeg4_decode_init(avctx) < 0 || ff_vc1_decode_init_alloc_tables(v) < 0)
+        if (ff_msmpeg4_decode_init(avctx) < 0)
             goto err;
+        if (ff_vc1_decode_init_alloc_tables(v) < 0) {
+            ff_MPV_common_end(s);
+            goto err;
+        }
 
         s->low_delay = !avctx->has_b_frames || v->res_sprite;
 
diff --git a/libavcodec/wnv1.c b/libavcodec/wnv1.c
index c59ceb7f1d..1f4ca1af85 100644
--- a/libavcodec/wnv1.c
+++ b/libavcodec/wnv1.c
@@ -71,8 +71,8 @@ static int decode_frame(AVCodecContext *avctx,
     int prev_y = 0, prev_u = 0, prev_v = 0;
     uint8_t *rbuf;
 
-    if(buf_size<=8) {
-        av_log(avctx, AV_LOG_ERROR, "buf_size %d is too small\n", buf_size);
+    if (buf_size <= 8) {
+        av_log(avctx, AV_LOG_ERROR, "Packet size %d is too small\n", buf_size);
         return AVERROR_INVALIDDATA;
     }
 
diff --git a/libavformat/avidec.c b/libavformat/avidec.c
index 248dd2cb13..c8d5818821 100644
--- a/libavformat/avidec.c
+++ b/libavformat/avidec.c
@@ -818,8 +818,10 @@ static int avi_read_header(AVFormatContext *s)
     return 0;
 }
 
-static int read_gab2_sub(AVStream *st, AVPacket *pkt) {
-    if (pkt->data && !strcmp(pkt->data, "GAB2") && AV_RL16(pkt->data+5) == 2) {
+static int read_gab2_sub(AVStream *st, AVPacket *pkt)
+{
+    if (pkt->size >= 7 &&
+        !strcmp(pkt->data, "GAB2") && AV_RL16(pkt->data + 5) == 2) {
         uint8_t desc[256];
         int score = AVPROBE_SCORE_MAX / 2, ret;
         AVIStream *ast = st->priv_data;
diff --git a/libavformat/electronicarts.c b/libavformat/electronicarts.c
index 5b821a9cf5..bc7ea140d5 100644
--- a/libavformat/electronicarts.c
+++ b/libavformat/electronicarts.c
@@ -545,12 +545,16 @@ static int ea_read_packet(AVFormatContext *s,
             case AV_CODEC_ID_ADPCM_EA_R1:
             case AV_CODEC_ID_ADPCM_EA_R2:
             case AV_CODEC_ID_ADPCM_IMA_EA_EACS:
-                if (pkt->size >= 4)
-                    pkt->duration = AV_RL32(pkt->data);
-                break;
             case AV_CODEC_ID_ADPCM_EA_R3:
-                if (pkt->size >= 4)
+                if (pkt->size < 4) {
+                    av_log(s, AV_LOG_ERROR, "Packet is too short\n");
+                    av_free_packet(pkt);
+                    return AVERROR_INVALIDDATA;
+                }
+                if (ea->audio_codec == AV_CODEC_ID_ADPCM_EA_R3)
                     pkt->duration = AV_RB32(pkt->data);
+                else
+                    pkt->duration = AV_RL32(pkt->data);
                 break;
             case AV_CODEC_ID_ADPCM_IMA_EA_SEAD:
                 pkt->duration = ret * 2 / ea->num_channels;
diff --git a/libavformat/mvi.c b/libavformat/mvi.c
index 9184927a2f..99152f3c19 100644
--- a/libavformat/mvi.c
+++ b/libavformat/mvi.c
@@ -95,6 +95,12 @@ static int read_header(AVFormatContext *s)
     mvi->get_int = (vst->codec->width * vst->codec->height < (1 << 16)) ? avio_rl16 : avio_rl24;
 
     mvi->audio_frame_size   = ((uint64_t)mvi->audio_data_size << MVI_FRAC_BITS) / frames_count;
+    if (mvi->audio_frame_size <= 1 << MVI_FRAC_BITS - 1) {
+        av_log(s, AV_LOG_ERROR, "Invalid audio_data_size (%d) or frames_count (%d)\n",
+               mvi->audio_data_size, frames_count);
+        return AVERROR_INVALIDDATA;
+    }
+
     mvi->audio_size_counter = (ast->codec->sample_rate * 830 / mvi->audio_frame_size - 1) * mvi->audio_frame_size;
     mvi->audio_size_left    = mvi->audio_data_size;
 
diff --git a/libavformat/utils.c b/libavformat/utils.c
index 1d9130fd7c..8a5b84ff39 100644
--- a/libavformat/utils.c
+++ b/libavformat/utils.c
@@ -2982,7 +2982,8 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options)
                 double best_error = 0.01;
 
                 if (st->info->codec_info_duration        >= INT64_MAX / st->time_base.num / 2||
-                    st->info->codec_info_duration_fields >= INT64_MAX / st->time_base.den)
+                    st->info->codec_info_duration_fields >= INT64_MAX / st->time_base.den ||
+                    st->info->codec_info_duration        < 0)
                     continue;
                 av_reduce(&st->avg_frame_rate.num, &st->avg_frame_rate.den,
                           st->info->codec_info_duration_fields*(int64_t)st->time_base.den,
diff --git a/libavformat/vqf.c b/libavformat/vqf.c
index f1e6aafd98..81c1b39b81 100644
--- a/libavformat/vqf.c
+++ b/libavformat/vqf.c
@@ -174,6 +174,10 @@ static int vqf_read_header(AVFormatContext *s)
         st->codec->sample_rate = 11025;
         break;
     default:
+        if (rate_flag < 8 || rate_flag > 44) {
+            av_log(s, AV_LOG_ERROR, "Invalid rate flag %d\n", rate_flag);
+            return AVERROR_INVALIDDATA;
+        }
         st->codec->sample_rate = rate_flag*1000;
         if (st->codec->sample_rate <= 0) {
             av_log(s, AV_LOG_ERROR, "sample rate %d is invalid\n", st->codec->sample_rate);
@@ -182,6 +186,13 @@ static int vqf_read_header(AVFormatContext *s)
         break;
     }
 
+    if (read_bitrate / st->codec->channels <  8 ||
+        read_bitrate / st->codec->channels > 48) {
+        av_log(s, AV_LOG_ERROR, "Invalid bitrate per channel %d\n",
+               read_bitrate / st->codec->channels);
+        return AVERROR_INVALIDDATA;
+    }
+
     switch (((st->codec->sample_rate/1000) << 8) +
             read_bitrate/st->codec->channels) {
     case (11<<8) + 8 :
diff --git a/libavformat/xwma.c b/libavformat/xwma.c
index db7d9716ca..2606cdf9f0 100644
--- a/libavformat/xwma.c
+++ b/libavformat/xwma.c
@@ -201,8 +201,10 @@ static int xwma_read_header(AVFormatContext *s)
         /* Estimate the duration from the total number of output bytes. */
         const uint64_t total_decoded_bytes = dpds_table[dpds_table_size - 1];
 
-        if(!bytes_per_sample) {
-            av_log(s, AV_LOG_ERROR, "bytes_per_sample is 0\n");
+        if (!bytes_per_sample) {
+            av_log(s, AV_LOG_ERROR,
+                   "Invalid bits_per_coded_sample %d for %d channels\n",
+                   st->codec->bits_per_coded_sample, st->codec->channels);
             return AVERROR_INVALIDDATA;
         }