Merge commit '46fd6e4f2ebbcd5a00847cdb05fe416466d06d37' into release/1.1

* commit '46fd6e4f2ebbcd5a00847cdb05fe416466d06d37':
  aac: check the maximum number of channels
  update Changelog
  riff: check for eof if chunk size and code are 0
  oggdec: fix faulty cleanup prototype

Conflicts:
	Changelog

Merged-by: Michael Niedermayer <michaelni@gmx.at>

3 files changed, 34 insertions, 1 deletions

diff --git a/Changelog b/Changelog
index 213ca05852..ecb2560ef8 100644
--- a/Changelog
+++ b/Changelog
@@ -2,6 +2,33 @@ Entries are sorted chronologically from oldest to youngest within each release,
 releases are sorted from youngest to oldest.
 
 version <next>:
+
+Most of the following fixes resulted from test samples that the Google
+Security Team has kindly made available to us:
+
+- af_channelmap: sanity check input channel indices in all cases
+- avfiltergraph: check for sws opts being non-NULL before using them
+- bmv: check for len being valid in bmv_decode_frame()
+- configure: Enable hwaccels without external dependencies by default
+- dfa: check for invalid access in decode_wdlt()
+- id3v2: pad the APIC packets as required by lavc
+- indeo3: check motion vectors
+- indeo3: fix data size check
+- indeo3: switch parsing the header to bytestream2
+- lavf: make sure stream probe data gets freed
+- matroska: Update the available size after lace parsing
+- matroska: fix a corner case in ebml-lace parsing
+- matroska: pass the lace size to the matroska_parse_rm_audio
+- mp3dec: fallback to generic seeking when a TOC is not present
+- oggdec: fix faulty cleanup prototype
+- oma: Validate sample rates
+- qdm2: check that the FFT size is a power of 2
+- riff: check for eof if chunk size and code are 0 to prevent an infinite loop
+- rv10: check that extradata is large enough
+- svq1dec: check that the reference frame has the same dimensions as the current one
+- svq1dec: clip motion vectors to the frame size
+- xmv: check audio track parameters validity
+- xmv: do not leak memory in the error paths in xmv_read_header()
 - atrac3: avoid oversized shifting in decode_bytes()
 - eamad: allocate a dummy reference frame when the real one is missing
 - ffv1: fix calculating slice dimensions for version 2
diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c
index d782e578a7..18928482cd 100644
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -147,6 +147,8 @@ static av_cold int che_configure(AACContext *ac,
                                  enum ChannelPosition che_pos,
                                  int type, int id, int *channels)
 {
+    if (*channels >= MAX_CHANNELS)
+        return AVERROR_INVALIDDATA;
     if (che_pos) {
         if (!ac->che[type][id]) {
             if (!(ac->che[type][id] = av_mallocz(sizeof(ChannelElement))))
diff --git a/libavformat/riff.c b/libavformat/riff.c
index c0b42c1f66..b417e2e594 100644
--- a/libavformat/riff.c
+++ b/libavformat/riff.c
@@ -822,7 +822,7 @@ int ff_read_riff_info(AVFormatContext *s, int64_t size)
                 av_log(s, AV_LOG_WARNING, "INFO subchunk truncated\n");
                 return AVERROR_INVALIDDATA;
             }
-            break;
+            return AVERROR_EOF;
         }
         if (chunk_size > end || end - chunk_size < cur || chunk_size == UINT_MAX) {
             avio_seek(pb, -9, SEEK_CUR);
@@ -839,6 +839,10 @@ int ff_read_riff_info(AVFormatContext *s, int64_t size)
         if (!chunk_code) {
             if (chunk_size)
                 avio_skip(pb, chunk_size);
+            else if (pb->eof_reached) {
+                av_log(s, AV_LOG_WARNING, "truncated file\n");
+                return AVERROR_EOF;
+            }
             continue;
         }