Merge remote-tracking branch 'qatar/master'

* qatar/master: (29 commits)
  amrwb: remove duplicate arguments from extrapolate_isf().
  amrwb: error out early if mode is invalid.
  h264: change underread for 10bit QPEL to overread.
  matroska: check buffer size for RM-style byte reordering.
  vp8: disable mmx functions with sse/sse2 counterparts on x86-64.
  vp8: change int stride to ptrdiff_t stride.
  wma: fix invalid buffer size assumptions causing random overreads.
  Windows Media Audio Lossless decoder
  rv10/20: Fix slice overflow with checked bitstream reader.
  h263dec: Disallow width/height changing with frame threads.
  rv10/20: Fix a buffer overread caused by losing track of the remaining buffer size.
  rmdec: Honor .RMF tag size rather than assuming 18.
  g722: Fix the QMF scaling
  r3d: don't set codec timebase.
  electronicarts: set timebase for tgv video.
  electronicarts: parse the framerate for cmv video.
  ogg: don't set codec timebase
  electronicarts: don't set codec timebase
  avs: don't set codec timebase
  wavpack: Fix an integer overflow
  ...

Conflicts:
	libavcodec/arm/vp8dsp_init_arm.c
	libavcodec/fraps.c
	libavcodec/h264.c
	libavcodec/mpeg4videodec.c
	libavcodec/mpegvideo.c
	libavcodec/msmpeg4.c
	libavcodec/pnmdec.c
	libavcodec/qpeg.c
	libavcodec/rawenc.c
	libavcodec/ulti.c
	libavcodec/vcr1.c
	libavcodec/version.h
	libavcodec/wmalosslessdec.c
	libavformat/electronicarts.c
	libswscale/ppc/yuv2rgb_altivec.c
	tests/ref/acodec/g722
	tests/ref/fate/ea-cmv

Merged-by: Michael Niedermayer <michaelni@gmx.at>

1 files changed, 28 insertions, 10 deletions

diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c
index dd8715b300..bc86b69a2e 100644
--- a/libavcodec/rv10.c
+++ b/libavcodec/rv10.c
@@ -515,9 +515,10 @@ static int rv10_decode_packet(AVCodecContext *avctx,
                              const uint8_t *buf, int buf_size, int buf_size2)
 {
     MpegEncContext *s = avctx->priv_data;
-    int mb_count, mb_pos, left, start_mb_x;
+    int mb_count, mb_pos, left, start_mb_x, active_bits_size;
 
-    init_get_bits(&s->gb, buf, buf_size*8);
+    active_bits_size = buf_size * 8;
+    init_get_bits(&s->gb, buf, FFMAX(buf_size, buf_size2) * 8);
     if(s->codec_id ==CODEC_ID_RV10)
         mb_count = rv10_decode_picture_header(s);
     else
@@ -601,13 +602,26 @@ static int rv10_decode_packet(AVCodecContext *avctx,
         s->mv_type = MV_TYPE_16X16;
         ret=ff_h263_decode_mb(s, s->block);
 
-        if (ret != SLICE_ERROR && s->gb.size_in_bits < get_bits_count(&s->gb) && 8*buf_size2 >= get_bits_count(&s->gb)){
-            av_log(avctx, AV_LOG_DEBUG, "update size from %d to %d\n", s->gb.size_in_bits, 8*buf_size2);
-            s->gb.size_in_bits= 8*buf_size2;
+        // Repeat the slice end check from ff_h263_decode_mb with our active
+        // bitstream size
+        if (ret != SLICE_ERROR) {
+            int v = show_bits(&s->gb, 16);
+
+            if (get_bits_count(&s->gb) + 16 > active_bits_size)
+                v >>= get_bits_count(&s->gb) + 16 - active_bits_size;
+
+            if (!v)
+                ret = SLICE_END;
+        }
+        if (ret != SLICE_ERROR && active_bits_size < get_bits_count(&s->gb) &&
+            8 * buf_size2 >= get_bits_count(&s->gb)) {
+            active_bits_size = buf_size2 * 8;
+            av_log(avctx, AV_LOG_DEBUG, "update size from %d to %d\n",
+                   8 * buf_size, active_bits_size);
             ret= SLICE_OK;
         }
 
-        if (ret == SLICE_ERROR || s->gb.size_in_bits < get_bits_count(&s->gb)) {
+        if (ret == SLICE_ERROR || active_bits_size < get_bits_count(&s->gb)) {
             av_log(s->avctx, AV_LOG_ERROR, "ERROR at MB %d %d\n", s->mb_x, s->mb_y);
             return -1;
         }
@@ -629,7 +643,7 @@ static int rv10_decode_packet(AVCodecContext *avctx,
 
     ff_er_add_slice(s, start_mb_x, s->resync_mb_y, s->mb_x-1, s->mb_y, ER_MB_END);
 
-    return s->gb.size_in_bits;
+    return active_bits_size;
 }
 
 static int get_slice_offset(AVCodecContext *avctx, const uint8_t *buf, int n)
@@ -661,8 +675,12 @@ static int rv10_decode_frame(AVCodecContext *avctx,
 
     if(!avctx->slice_count){
         slice_count = (*buf++) + 1;
+        buf_size--;
         slices_hdr = buf + 4;
         buf += 8 * slice_count;
+        buf_size -= 8 * slice_count;
+        if (buf_size <= 0)
+            return AVERROR_INVALIDDATA;
     }else
         slice_count = avctx->slice_count;
 
@@ -696,9 +714,9 @@ static int rv10_decode_frame(AVCodecContext *avctx,
         ff_MPV_frame_end(s);
 
         if (s->pict_type == AV_PICTURE_TYPE_B || s->low_delay) {
-            *pict= *(AVFrame*)s->current_picture_ptr;
+            *pict = s->current_picture_ptr->f;
         } else if (s->last_picture_ptr != NULL) {
-            *pict= *(AVFrame*)s->last_picture_ptr;
+            *pict = s->last_picture_ptr->f;
         }
 
         if(s->last_picture_ptr || s->low_delay){
@@ -708,7 +726,7 @@ static int rv10_decode_frame(AVCodecContext *avctx,
         s->current_picture_ptr= NULL; //so we can detect if frame_end wasnt called (find some nicer solution...)
     }
 
-    return buf_size;
+    return avpkt->size;
 }
 
 AVCodec ff_rv10_decoder = {