Merge commit '42fed7f433e6d2167ffd4aae31905b583a53b988' into release/0.10

* commit '42fed7f433e6d2167ffd4aae31905b583a53b988':
  wavpack: check packet size early
  mjpegdec: validate parameters in mjpeg_decode_scan_progressive_ac
  mjpeg: Validate sampling factors
  ljpeg: use the correct number of components in yuv
  wavpack: validate samples size parsed in wavpack_decode_block
  jpegls: check the scan offset
  jpegls: factorize return paths
  jpegls: return meaningful errors
  mjpegdec: properly report unsupported disabled features
  update Changelog
  proresdec: support mixed interlaced/non-interlaced content
  update Changelog
  wav: Always seek to an even offset
  id3v2: check for end of file while unescaping tags
  indeo3: fix off by one in MV validity check
  aac: check the maximum number of channels
  update Changelog
  oggdec: fix faulty cleanup prototype

Conflicts:
	Changelog
	libavcodec/jpeglsdec.c
	libavcodec/mjpegdec.c
	libavformat/id3v2.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>

6 files changed, 50 insertions, 16 deletions

diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c
index a592c50585..6249619b42 100644
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -192,6 +192,8 @@ static av_cold int che_configure(AACContext *ac,
                                  enum ChannelPosition che_pos[4][MAX_ELEM_ID],
                                  int type, int id, int *channels)
 {
+    if (*channels >= MAX_CHANNELS)
+        return AVERROR_INVALIDDATA;
     if (che_pos[type][id]) {
         if (!ac->che[type][id]) {
             if (!(ac->che[type][id] = av_mallocz(sizeof(ChannelElement))))
diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c
index c19fffd941..86a2dfbd2d 100644
--- a/libavcodec/indeo3.c
+++ b/libavcodec/indeo3.c
@@ -238,8 +238,8 @@ static int copy_cell(Indeo3DecodeContext *ctx, Plane *plane, Cell *cell)
 
     /* -1 because there is an extra line on top for prediction */
     if ((cell->ypos << 2) + mv_y < -1 || (cell->xpos << 2) + mv_x < 0 ||
-        ((cell->ypos + cell->height) << 2) + mv_y >= plane->height    ||
-        ((cell->xpos + cell->width)  << 2) + mv_x >= plane->width) {
+        ((cell->ypos + cell->height) << 2) + mv_y > plane->height     ||
+        ((cell->xpos + cell->width)  << 2) + mv_x > plane->width) {
         av_log(ctx->avctx, AV_LOG_ERROR,
                "Motion vectors point out of the frame.\n");
         return AVERROR_INVALIDDATA;
@@ -609,8 +609,8 @@ static int decode_cell(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
 
         /* -1 because there is an extra line on top for prediction */
         if ((cell->ypos << 2) + mv_y < -1 || (cell->xpos << 2) + mv_x < 0 ||
-            ((cell->ypos + cell->height) << 2) + mv_y >= plane->height    ||
-            ((cell->xpos + cell->width)  << 2) + mv_x >= plane->width) {
+            ((cell->ypos + cell->height) << 2) + mv_y > plane->height     ||
+            ((cell->xpos + cell->width)  << 2) + mv_x > plane->width) {
             av_log(ctx->avctx, AV_LOG_ERROR,
                    "Motion vectors point out of the frame.\n");
             return AVERROR_INVALIDDATA;
diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c
index 8eb9ec8d36..7814ad6640 100644
--- a/libavcodec/jpeglsdec.c
+++ b/libavcodec/jpeglsdec.c
@@ -71,13 +71,13 @@ int ff_jpegls_decode_lse(MJpegDecodeContext *s)
     case 2:
     case 3:
         av_log(s->avctx, AV_LOG_ERROR, "palette not supported\n");
-        return -1;
+        return AVERROR(ENOSYS);
     case 4:
         av_log(s->avctx, AV_LOG_ERROR, "oversize image not supported\n");
-        return -1;
+        return AVERROR(ENOSYS);
     default:
         av_log(s->avctx, AV_LOG_ERROR, "invalid id %d\n", id);
-        return -1;
+        return AVERROR_INVALIDDATA;
     }
 //    av_log(s->avctx, AV_LOG_DEBUG, "ID=%i, T=%i,%i,%i\n", id, s->t1, s->t2, s->t3);
 
@@ -263,7 +263,7 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor
     int i, t = 0;
     uint8_t *zero, *last, *cur;
     JLSState *state;
-    int off = 0, stride = 1, width, shift;
+    int off = 0, stride = 1, width, shift, ret = 0;
 
     zero = av_mallocz(s->picture.linesize[0]);
     last = zero;
@@ -289,6 +289,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor
 //    av_log(s->avctx, AV_LOG_DEBUG, "JPEG-LS params: %ix%i NEAR=%i MV=%i T(%i,%i,%i) RESET=%i, LIMIT=%i, qbpp=%i, RANGE=%i\n",s->width,s->height,state->near,state->maxval,state->T1,state->T2,state->T3,state->reset,state->limit,state->qbpp, state->range);
 //    av_log(s->avctx, AV_LOG_DEBUG, "JPEG params: ILV=%i Pt=%i BPP=%i, scan = %i\n", ilv, point_transform, s->bits, s->cur_scan);
     if(ilv == 0) { /* separate planes */
+        if (s->cur_scan > s->nb_components) {
+            ret = AVERROR_INVALIDDATA;
+            goto end;
+        }
         stride = (s->nb_components > 1) ? 3 : 1;
         off = av_clip(s->cur_scan - 1, 0, stride - 1);
         width = s->width * stride;
@@ -328,11 +332,10 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor
             last = cur;
             cur += s->picture.linesize[0];
         }
-    } else if(ilv == 2) { /* sample interleaving */
+    } else if (ilv == 2) { /* sample interleaving */
         av_log(s->avctx, AV_LOG_ERROR, "Sample interleaved images are not supported.\n");
-        av_free(state);
-        av_free(zero);
-        return -1;
+        ret = AVERROR_PATCHWELCOME;
+        goto end;
     }
 
     if(shift){ /* we need to do point transform or normalize samples */
@@ -360,10 +363,12 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, int point_transfor
             }
         }
     }
+
+end:
     av_free(state);
     av_free(zero);
 
-    return 0;
+    return ret;
 }
 
 
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index e4c9574118..dd437ebefd 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -276,6 +276,13 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s)
         s->quant_index[i] = get_bits(&s->gb, 8);
         if (s->quant_index[i] >= 4)
             return -1;
+        if (!s->h_count[i] || !s->v_count[i]) {
+            av_log(s->avctx, AV_LOG_ERROR,
+                   "Invalid sampling factor in component %d %d:%d\n",
+                   i, s->h_count[i], s->v_count[i]);
+            return AVERROR_INVALIDDATA;
+        }
+
         av_log(s->avctx, AV_LOG_DEBUG, "component %d %d:%d id: %d quant:%d\n",
                i, s->h_count[i], s->v_count[i],
                s->component_id[i], s->quant_index[i]);
@@ -783,10 +790,9 @@ static int ljpeg_decode_rgb_scan(MJpegDecodeContext *s, int nb_components, int p
 }
 
 static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor,
-                                 int point_transform)
+                                 int point_transform, int nb_components)
 {
     int i, mb_x, mb_y;
-    const int nb_components=s->nb_components;
     int bits= (s->bits+7)&~7;
     int resync_mb_y = 0;
     int resync_mb_x = 0;
@@ -1085,6 +1091,12 @@ static int mjpeg_decode_scan_progressive_ac(MJpegDecodeContext *s, int ss,
     int last_scan = 0;
     int16_t *quant_matrix = s->quant_matrixes[s->quant_index[c]];
 
+
+    if (ss < 0  || ss >= 64 ||
+        se < ss || se >= 64 ||
+        Ah < 0  || Al < 0)
+        return AVERROR_INVALIDDATA;
+
     if (!Al) {
         s->coefs_finished[c] |= (1LL << (se + 1)) - (1LL << ss);
         last_scan = !~s->coefs_finished[c];
@@ -1226,7 +1238,8 @@ int ff_mjpeg_decode_sos(MJpegDecodeContext *s, const uint8_t *mb_bitmask,
                 if (ljpeg_decode_rgb_scan(s, nb_components, predictor, point_transform) < 0)
                     return -1;
             } else {
-                if (ljpeg_decode_yuv_scan(s, predictor, point_transform) < 0)
+                if (ljpeg_decode_yuv_scan(s, predictor, point_transform,
+                                          nb_components))
                     return -1;
             }
         }
@@ -1597,6 +1610,12 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
             else if (start_code == COM)
                 mjpeg_decode_com(s);
 
+            if (!CONFIG_JPEGLS_DECODER &&
+                (start_code == SOF48 || start_code == LSE)) {
+                av_log(avctx, AV_LOG_ERROR, "JPEG-LS support not enabled.\n");
+                return AVERROR(ENOSYS);
+            }
+
             switch (start_code) {
             case SOI:
                 s->restart_interval = 0;
diff --git a/libavcodec/proresdec_lgpl.c b/libavcodec/proresdec_lgpl.c
index 5fe47755c2..986e69bca7 100644
--- a/libavcodec/proresdec_lgpl.c
+++ b/libavcodec/proresdec_lgpl.c
@@ -186,6 +186,8 @@ static int decode_frame_header(ProresContext *ctx, const uint8_t *buf,
     if (ctx->frame_type) {      /* if interlaced */
         ctx->picture.interlaced_frame = 1;
         ctx->picture.top_field_first  = ctx->frame_type & 1;
+    } else {
+        ctx->picture.interlaced_frame = 0;
     }
 
     ctx->alpha_info = buf[17] & 0xf;
diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
index 71eaf70ecc..6e33dcbb6e 100644
--- a/libavcodec/wavpack.c
+++ b/libavcodec/wavpack.c
@@ -790,6 +790,9 @@ static int wavpack_decode_block(AVCodecContext *avctx, int block_no,
 
     if (!wc->mkv_mode) {
         s->samples = AV_RL32(buf); buf += 4;
+        if (s->samples != wc->samples)
+            return AVERROR_INVALIDDATA;
+
         if (!s->samples) {
             *got_frame_ptr = 0;
             return 0;
@@ -1169,6 +1172,9 @@ static int wavpack_decode_frame(AVCodecContext *avctx, void *data,
     int frame_size, ret, frame_flags;
     int samplecount = 0;
 
+    if (avpkt->size < 12 + s->multichannel * 4)
+        return AVERROR_INVALIDDATA;
+
     s->block     = 0;
     s->ch_offset = 0;