Merge commit 'f8a72f041c049e812dfa1f32156327e9778f5710' into release/1.1

* commit 'f8a72f041c049e812dfa1f32156327e9778f5710':
  mpc8: Check the seek table size parsed from the bitstream
  zmbvdec: Check the buffer size for uncompressed data
  ape: Don't allow the seektable to be omitted
  shorten: Break out of loop looking for fmt chunk if none is found
  shorten: Use a checked bytestream reader for the wave header
  smacker: Make sure we don't fill in huffman codes out of range
  smacker: Avoid integer overflow when allocating packets
  smacker: Don't return packets in unallocated streams
  dsicin: Add some basic sanity checks for fields read from the file

Conflicts:
	libavcodec/shorten.c
	libavcodec/smacker.c
	libavcodec/zmbv.c
	libavformat/mpc8.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>

7 files changed, 32 insertions, 22 deletions

diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index 991141533a..1ba93b95da 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -213,34 +213,38 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header,
 {
     int len, bps;
     short wave_format;
-    const uint8_t *end= header + header_size;
+    GetByteContext gb;
 
-    if (bytestream_get_le32(&header) != MKTAG('R', 'I', 'F', 'F')) {
+    bytestream2_init(&gb, header, header_size);
+
+    if (bytestream2_get_le32(&gb) != MKTAG('R', 'I', 'F', 'F')) {
         av_log(avctx, AV_LOG_ERROR, "missing RIFF tag\n");
         return AVERROR_INVALIDDATA;
     }
 
-    header += 4; /* chunk size */
+    bytestream2_skip(&gb, 4); /* chunk size */
 
-    if (bytestream_get_le32(&header) != MKTAG('W', 'A', 'V', 'E')) {
+    if (bytestream2_get_le32(&gb) != MKTAG('W', 'A', 'V', 'E')) {
         av_log(avctx, AV_LOG_ERROR, "missing WAVE tag\n");
         return AVERROR_INVALIDDATA;
     }
 
-    while (bytestream_get_le32(&header) != MKTAG('f', 'm', 't', ' ')) {
-        len     = bytestream_get_le32(&header);
-        if (len<0 || end - header - 8 < len)
+    while (bytestream2_get_le32(&gb) != MKTAG('f', 'm', 't', ' ')) {
+        len = bytestream2_get_le32(&gb);
+        bytestream2_skip(&gb, len);
+        if (len < 0 || bytestream2_get_bytes_left(&gb) < 16) {
+            av_log(avctx, AV_LOG_ERROR, "no fmt chunk found\n");
             return AVERROR_INVALIDDATA;
-        header += len;
+        }
     }
-    len = bytestream_get_le32(&header);
+    len = bytestream2_get_le32(&gb);
 
     if (len < 16) {
         av_log(avctx, AV_LOG_ERROR, "fmt chunk was too short\n");
         return AVERROR_INVALIDDATA;
     }
 
-    wave_format = bytestream_get_le16(&header);
+    wave_format = bytestream2_get_le16(&gb);
 
     switch (wave_format) {
     case WAVE_FORMAT_PCM:
@@ -250,11 +254,11 @@ static int decode_wave_header(AVCodecContext *avctx, const uint8_t *header,
         return AVERROR(ENOSYS);
     }
 
-    header += 2;        // skip channels    (already got from shorten header)
-    avctx->sample_rate = bytestream_get_le32(&header);
-    header += 4;        // skip bit rate    (represents original uncompressed bit rate)
-    header += 2;        // skip block align (not needed)
-    bps     = bytestream_get_le16(&header);
+    bytestream2_skip(&gb, 2); // skip channels    (already got from shorten header)
+    avctx->sample_rate = bytestream2_get_le32(&gb);
+    bytestream2_skip(&gb, 4); // skip bit rate    (represents original uncompressed bit rate)
+    bytestream2_skip(&gb, 2); // skip block align (not needed)
+    bps = bytestream2_get_le16(&gb);
     avctx->bits_per_coded_sample = bps;
 
     if (bps != 16 && bps != 8) {
diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
index 88b2b9c004..bf027e8df7 100644
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -268,10 +268,12 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int
     if(ctx.last[0] == -1) ctx.last[0] = huff.current++;
     if(ctx.last[1] == -1) ctx.last[1] = huff.current++;
     if(ctx.last[2] == -1) ctx.last[2] = huff.current++;
-    if(huff.current > huff.length){
+    if (ctx.last[0] >= huff.length ||
+        ctx.last[1] >= huff.length ||
+        ctx.last[2] >= huff.length) {
+        av_log(smk->avctx, AV_LOG_ERROR, "Huffman codes out of range\n");
         ctx.last[0] = ctx.last[1] = ctx.last[2] = 1;
-        av_log(smk->avctx, AV_LOG_ERROR, "bigtree damaged\n");
-        return AVERROR_INVALIDDATA;
+        err = AVERROR_INVALIDDATA;
     }
 
     *recodes = huff.values;
diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c
index 4e5d16f7e4..9be612bd03 100644
--- a/libavcodec/zmbv.c
+++ b/libavcodec/zmbv.c
@@ -508,7 +508,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame, AVPac
 
     if (c->comp == 0) { //Uncompressed data
         if (c->decomp_size < len) {
-            av_log(avctx, AV_LOG_ERROR, "decomp buffer too small\n");
+            av_log(avctx, AV_LOG_ERROR, "Buffer too small\n");
             return AVERROR_INVALIDDATA;
         }
         memcpy(c->decomp_buf, buf, len);
diff --git a/libavformat/ape.c b/libavformat/ape.c
index 58f2418ce7..2cd3d80f34 100644
--- a/libavformat/ape.c
+++ b/libavformat/ape.c
@@ -253,7 +253,7 @@ static int ape_read_header(AVFormatContext * s)
                ape->totalframes);
         return AVERROR_INVALIDDATA;
     }
-    if (ape->seektablelength && (ape->seektablelength / sizeof(*ape->seektable)) < ape->totalframes) {
+    if (ape->seektablelength / sizeof(*ape->seektable) < ape->totalframes) {
         av_log(s, AV_LOG_ERROR,
                "Number of seek entries is less than number of frames: %zu vs. %"PRIu32"\n",
                ape->seektablelength / sizeof(*ape->seektable), ape->totalframes);
diff --git a/libavformat/dsicin.c b/libavformat/dsicin.c
index b8ca57c0a4..4a54680056 100644
--- a/libavformat/dsicin.c
+++ b/libavformat/dsicin.c
@@ -155,6 +155,8 @@ static int cin_read_frame_header(CinDemuxContext *cin, AVIOContext *pb) {
 
     if (avio_rl32(pb) != 0xAA55AA55)
         return AVERROR_INVALIDDATA;
+    if (hdr->video_frame_size < 0 || hdr->audio_frame_size < 0)
+        return AVERROR_INVALIDDATA;
 
     return 0;
 }
diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
index 011c7c8e64..293e20fc0e 100644
--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@@ -146,7 +146,7 @@ static void mpc8_parse_seektable(AVFormatContext *s, int64_t off)
         return;
     }
     if (size > INT_MAX/10 || size<=0) {
-        av_log(s, AV_LOG_ERROR, "Seek table size is invalid\n");
+        av_log(s, AV_LOG_ERROR, "Bad seek table size\n");
         return;
     }
     if(!(buf = av_malloc(size + FF_INPUT_BUFFER_PADDING_SIZE)))
diff --git a/libavformat/smacker.c b/libavformat/smacker.c
index aa66312bda..47f4417f37 100644
--- a/libavformat/smacker.c
+++ b/libavformat/smacker.c
@@ -329,7 +329,7 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt)
             }
             flags >>= 1;
         }
-        if (frame_size < 0)
+        if (frame_size < 0 || frame_size >= INT_MAX/2)
             return AVERROR_INVALIDDATA;
         if (av_new_packet(pkt, frame_size + 769))
             return AVERROR(ENOMEM);
@@ -345,6 +345,8 @@ static int smacker_read_packet(AVFormatContext *s, AVPacket *pkt)
         smk->cur_frame++;
         smk->nextpos = avio_tell(s->pb);
     } else {
+        if (smk->stream_id[smk->curstream] < 0)
+            return AVERROR_INVALIDDATA;
         if (av_new_packet(pkt, smk->buf_sizes[smk->curstream]))
             return AVERROR(ENOMEM);
         memcpy(pkt->data, smk->bufs[smk->curstream], smk->buf_sizes[smk->curstream]);