Merge branch 'release/0.7' into oldabi

* release/0.7: (33 commits)
  Update for 0.7.8
  svq1dec: call avcodec_set_dimensions() after dimensions changed. Fixes NGS00148
  vp3dec: Check coefficient index in vp3_dequant() Fixes NGS00145
  qdm2dec: fix buffer overflow. Fixes NGS00144
  h264: Fix invalid interlaced progressive MB combinations for direct mode prediction. Fixes Ticket312
  mpegvideo: dont use ff_mspel_motion() for vc1 Fixes Ticket655
  imgutils: Fix illegal read.
  ac3probe: Detect Sonic Foundry Soft Encode AC3 as raw AC3. Our ac3 code chain can handle it fine. More ideal would be to write a demuxer that actually extracts what can be from the additional headers and uses it for whatever it can be used for.
  mjpeg: support mpo Fixes stereoscopic_photo.mpo
  Add a version bump and APIchanges entry for avcodec_open2 and avformat_find_stream_info.
  lavf: fix multiplication overflow in avformat_find_stream_info()
  lavf: fix invalid reads in avformat_find_stream_info()
  lavf: add avformat_find_stream_info()
  lavc: fix parentheses placement in avcodec_open2().
  lavc: introduce avcodec_open2() as a replacement for avcodec_open().
  rawdec: use a default sample rate if none is specified. Fixes "ffmpeg -f s16le -i /dev/zero"
  rawdec: add check on sample_rate
  qdm2dec: check remaining input bits in the mainloop of qdm2_fft_decode_tones() This is neccessary but likely not sufficient to prevent out of array reads.
  cinepak: check strip_size
  wma: Check channel number before init. Fixes Ticket240
  ...

Conflicts:
	RELEASE
	doc/APIchanges
	libavcodec/avcodec.h
	libavcodec/utils.c
	libavcodec/version.h
	libavdevice/v4l2.c
	libavformat/utils.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>

12 files changed, 43 insertions, 11 deletions

diff --git a/libavcodec/cinepak.c b/libavcodec/cinepak.c
index b9e0d17aaf..7ce4a1096d 100644
--- a/libavcodec/cinepak.c
+++ b/libavcodec/cinepak.c
@@ -365,6 +365,8 @@ static int cinepak_decode (CinepakContext *s)
         s->strips[i].x2 = s->avctx->width;
 
         strip_size = AV_RB24 (&s->data[1]) - 12;
+        if(strip_size < 0)
+            return -1;
         s->data   += 12;
         strip_size = ((s->data + strip_size) > eod) ? (eod - s->data) : strip_size;
 
diff --git a/libavcodec/cook.c b/libavcodec/cook.c
index 0d09bb83fb..7ed004e0bd 100644
--- a/libavcodec/cook.c
+++ b/libavcodec/cook.c
@@ -1079,7 +1079,7 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)
             q->subpacket[s].subbands = bytestream_get_be16(&edata_ptr);
             extradata_size -= 8;
         }
-        if (avctx->extradata_size >= 8){
+        if (extradata_size >= 8){
             bytestream_get_be32(&edata_ptr);    //Unknown unused
             q->subpacket[s].js_subband_start = bytestream_get_be16(&edata_ptr);
             q->subpacket[s].js_vlc_bits = bytestream_get_be16(&edata_ptr);
diff --git a/libavcodec/h264_direct.c b/libavcodec/h264_direct.c
index f8c9287e47..95e98d866a 100644
--- a/libavcodec/h264_direct.c
+++ b/libavcodec/h264_direct.c
@@ -253,6 +253,10 @@ static void pred_spatial_direct_motion(H264Context * const h, int *mb_type){
             mb_type_col[1] = h->ref_list[1][0].f.mb_type[mb_xy + s->mb_stride];
             b8_stride = 2+4*s->mb_stride;
             b4_stride *= 6;
+            if(IS_INTERLACED(mb_type_col[0]) != IS_INTERLACED(mb_type_col[1])){
+                mb_type_col[0] &= ~MB_TYPE_INTERLACED;
+                mb_type_col[1] &= ~MB_TYPE_INTERLACED;
+            }
 
             sub_mb_type |= MB_TYPE_16x16|MB_TYPE_DIRECT2; /* B_SUB_8x8 */
             if(    (mb_type_col[0] & MB_TYPE_16x16_OR_INTRA)
diff --git a/libavcodec/mpegvideo_common.h b/libavcodec/mpegvideo_common.h
index a4d0167f36..bf6c4db580 100644
--- a/libavcodec/mpegvideo_common.h
+++ b/libavcodec/mpegvideo_common.h
@@ -725,7 +725,7 @@ static av_always_inline void MPV_motion_internal(MpegEncContext *s,
                         0, 0, 0,
                         ref_picture, pix_op, qpix_op,
                         s->mv[dir][0][0], s->mv[dir][0][1], 16);
-        }else if(!is_mpeg12 && (CONFIG_WMV2_DECODER || CONFIG_WMV2_ENCODER) && s->mspel){
+        }else if(!is_mpeg12 && (CONFIG_WMV2_DECODER || CONFIG_WMV2_ENCODER) && s->mspel && s->codec_id == CODEC_ID_WMV2){
             ff_mspel_motion(s, dest_y, dest_cb, dest_cr,
                         ref_picture, pix_op,
                         s->mv[dir][0][0], s->mv[dir][0][1], 16);
diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 70635671c2..59ff9851df 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -471,7 +471,8 @@ static int decode_frame(AVCodecContext *avctx,
                     avctx->pix_fmt = PIX_FMT_MONOBLACK;
                 } else if (s->color_type == PNG_COLOR_TYPE_PALETTE) {
                     avctx->pix_fmt = PIX_FMT_PAL8;
-                } else if (s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) {
+                } else if (s->bit_depth == 8 &&
+                           s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) {
                     avctx->pix_fmt = PIX_FMT_GRAY8A;
                 } else {
                     goto fail;
diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
index bc9ba95afa..e2eb0eacb8 100644
--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -77,6 +77,7 @@ do { \
 #define SAMPLES_NEEDED_2(why) \
      av_log (NULL,AV_LOG_INFO,"This file triggers some missing code. Please contact the developers.\nPosition: %s\n",why);
 
+#define QDM2_MAX_FRAME_SIZE 512
 
 typedef int8_t sb_int8_array[2][30][64];
 
@@ -169,7 +170,7 @@ typedef struct {
     /// I/O data
     const uint8_t *compressed_data;
     int compressed_size;
-    float output_buffer[1024];
+    float output_buffer[QDM2_MAX_FRAME_SIZE * MPA_MAX_CHANNELS * 2];
 
     /// Synthesis filter
     MPADSPContext mpadsp;
@@ -1328,7 +1329,7 @@ static void qdm2_fft_decode_tones (QDM2Context *q, int duration, GetBitContext *
     local_int_10 = 1 << (q->group_order - duration - 1);
     offset = 1;
 
-    while (1) {
+    while (get_bits_left(gb)>0) {
         if (q->superblocktype_2_3) {
             while ((n = qdm2_get_vlc(gb, &vlc_tab_fft_tone_offset[local_int_8], 1, 2)) < 2) {
                 offset = 1;
@@ -1823,7 +1824,8 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx)
     // something like max decodable tones
     s->group_order = av_log2(s->group_size) + 1;
     s->frame_size = s->group_size / 16; // 16 iterations per super block
-    if (s->frame_size > FF_ARRAY_ELEMS(s->output_buffer) / 2)
+
+    if (s->frame_size > QDM2_MAX_FRAME_SIZE)
         return AVERROR_INVALIDDATA;
 
     s->sub_sampling = s->fft_order - 7;
@@ -1894,6 +1896,9 @@ static int qdm2_decode (QDM2Context *q, const uint8_t *in, int16_t *out)
     int ch, i;
     const int frame_size = (q->frame_size * q->channels);
 
+    if((unsigned)frame_size > FF_ARRAY_ELEMS(q->output_buffer)/2)
+        return -1;
+
     /* select input buffer */
     q->compressed_data = in;
     q->compressed_size = q->checksum_size;
diff --git a/libavcodec/svq1dec.c b/libavcodec/svq1dec.c
index a079ce4837..f43f53dd3a 100644
--- a/libavcodec/svq1dec.c
+++ b/libavcodec/svq1dec.c
@@ -658,6 +658,7 @@ static int svq1_decode_frame(AVCodecContext *avctx,
     av_dlog(s->avctx, "Error in svq1_decode_frame_header %i\n",result);
     return result;
   }
+  avcodec_set_dimensions(avctx, s->width, s->height);
 
   //FIXME this avoids some confusion for "B frames" without 2 references
   //this should be removed after libavcodec can handle more flexible picture types & ordering
diff --git a/libavcodec/version.h b/libavcodec/version.h
index f07970344d..07b0f45592 100644
--- a/libavcodec/version.h
+++ b/libavcodec/version.h
@@ -113,5 +113,8 @@
 #ifndef FF_API_VERY_AGGRESSIVE
 #define FF_API_VERY_AGGRESSIVE  (LIBAVCODEC_VERSION_MAJOR < 54)
 #endif
+#ifndef FF_API_AVCODEC_OPEN
+#define FF_API_AVCODEC_OPEN     (LIBAVCODEC_VERSION_MAJOR < 54)
+#endif
 
 #endif /* AVCODEC_VERSION_H */
diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
index 85ba6ae16e..8810516528 100644
--- a/libavcodec/vp3.c
+++ b/libavcodec/vp3.c
@@ -1308,6 +1308,10 @@ static inline int vp3_dequant(Vp3DecodeContext *s, Vp3Fragment *frag,
         case 1: // zero run
             s->dct_tokens[plane][i]++;
             i += (token >> 2) & 0x7f;
+            if(i>63){
+                av_log(s->avctx, AV_LOG_ERROR, "Coefficient index overflow\n");
+                return -1;
+            }
             block[perm[i]] = (token >> 9) * dequantizer[perm[i]];
             i++;
             break;
diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c
index 50bd868b51..23d0acc631 100644
--- a/libavcodec/vp5.c
+++ b/libavcodec/vp5.c
@@ -185,7 +185,8 @@ static void vp5_parse_coeff(VP56Context *s)
         model1 = model->coeff_dccv[pt];
         model2 = model->coeff_dcct[pt][ctx];
 
-        for (coeff_idx=0; coeff_idx<64; ) {
+        coeff_idx = 0;
+        for (;;) {
             if (vp56_rac_get_prob(c, model2[0])) {
                 if (vp56_rac_get_prob(c, model2[2])) {
                     if (vp56_rac_get_prob(c, model2[3])) {
@@ -222,8 +223,11 @@ static void vp5_parse_coeff(VP56Context *s)
                 ct = 0;
                 s->coeff_ctx[vp56_b6to4[b]][coeff_idx] = 0;
             }
+            coeff_idx++;
+            if (coeff_idx >= 64)
+                break;
 
-            cg = vp5_coeff_groups[++coeff_idx];
+            cg = vp5_coeff_groups[coeff_idx];
             ctx = s->coeff_ctx[vp56_b6to4[b]][coeff_idx];
             model1 = model->coeff_ract[pt][ct][cg];
             model2 = cg > 2 ? model1 : model->coeff_acct[pt][ct][cg][ctx];
diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c
index 29fcecdb57..84876b7146 100644
--- a/libavcodec/vp6.c
+++ b/libavcodec/vp6.c
@@ -442,7 +442,8 @@ static void vp6_parse_coeff(VP56Context *s)
         model1 = model->coeff_dccv[pt];
         model2 = model->coeff_dcct[pt][ctx];
 
-        for (coeff_idx=0; coeff_idx<64; ) {
+        coeff_idx = 0;
+        for (;;) {
             if ((coeff_idx>1 && ct==0) || vp56_rac_get_prob(c, model2[0])) {
                 /* parse a coeff */
                 if (vp56_rac_get_prob(c, model2[2])) {
@@ -483,8 +484,10 @@ static void vp6_parse_coeff(VP56Context *s)
                             run += vp56_rac_get_prob(c, model3[i+8]) << i;
                 }
             }
-
-            cg = vp6_coeff_groups[coeff_idx+=run];
+            coeff_idx += run;
+            if (coeff_idx >= 64)
+                break;
+            cg = vp6_coeff_groups[coeff_idx];
             model1 = model2 = model->coeff_ract[pt][ct][cg];
         }
 
diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c
index 9eaf230b01..11895a3996 100644
--- a/libavcodec/wmadec.c
+++ b/libavcodec/wmadec.c
@@ -109,6 +109,11 @@ static int wma_decode_init(AVCodecContext * avctx)
         }
     }
 
+    if(avctx->channels > MAX_CHANNELS){
+        av_log(avctx, AV_LOG_ERROR, "Invalid number of channels (%d)\n", avctx->channels);
+        return -1;
+    }
+
     if(ff_wma_init(avctx, flags2)<0)
         return -1;