Merge remote-tracking branch 'qatar/release/0.8' into release/0.10

* qatar/release/0.8: (24 commits)
  apedec: check bits <= 32.
  truemotion: forbid invalid VLC bitsizes and token values.
  mov: don't overwrite existing indexes.
  truemotion2: handle out-of-frame motion vectors through edge extension.
  lzw: prevent buffer overreads.
  truemotion2: convert packet header reading to bytestream2.
  lagarith: fix buffer overreads.
  raw: forward avpicture_fill() error code in raw_decode().
  vc1: Do not read from array if index is invalid.
  utvideo: port header reading to bytestream2.
  bytestream: add more unchecked variants for bytestream2 API
  bytestream: K&R formatting cosmetics
  bytestream: Add bytestream2 writing API.
  aac: Reset PS parameters on header decode failure.
  mov: Do not read past the end of the ctts_data table.
  xwma: Validate channels and bits_per_coded_sample.
  asf: reset side data elements on packet copy.
  vqa: check palette chunk size before reading data.
  vqavideo: port to bytestream2 API
  wmavoice: fix stack overread.
  ...

Conflicts:
	cmdutils.c
	cmdutils.h
	libavcodec/lagarith.c
	libavcodec/truemotion2.c
	libavcodec/vqavideo.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>

1 files changed, 12 insertions, 9 deletions

diff --git a/libavformat/mov.c b/libavformat/mov.c
index 9da8eab84f..95bc3dee40 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -1767,6 +1767,7 @@ static void mov_build_index(MOVContext *mov, AVStream *st)
     unsigned int stps_index = 0;
     unsigned int i, j;
     uint64_t stream_size = 0;
+    AVIndexEntry *mem;
 
     /* adjust first dts according to edit list */
     if ((sc->empty_duration || sc->start_time) && mov->time_scale > 0) {
@@ -1796,12 +1797,13 @@ static void mov_build_index(MOVContext *mov, AVStream *st)
 
         if (!sc->sample_count)
             return;
-        if (sc->sample_count >= UINT_MAX / sizeof(*st->index_entries))
+        if (sc->sample_count >= UINT_MAX / sizeof(*st->index_entries) - st->nb_index_entries)
             return;
-        st->index_entries = av_malloc(sc->sample_count*sizeof(*st->index_entries));
-        if (!st->index_entries)
+        mem = av_realloc(st->index_entries, (st->nb_index_entries + sc->sample_count) * sizeof(*st->index_entries));
+        if (!mem)
             return;
-        st->index_entries_allocated_size = sc->sample_count*sizeof(*st->index_entries);
+        st->index_entries = mem;
+        st->index_entries_allocated_size = (st->nb_index_entries + sc->sample_count) * sizeof(*st->index_entries);
 
         for (i = 0; i < sc->chunk_count; i++) {
             current_offset = sc->chunk_offsets[i];
@@ -1885,12 +1887,13 @@ static void mov_build_index(MOVContext *mov, AVStream *st)
         }
 
         av_dlog(mov->fc, "chunk count %d\n", total);
-        if (total >= UINT_MAX / sizeof(*st->index_entries))
+        if (total >= UINT_MAX / sizeof(*st->index_entries) - st->nb_index_entries)
             return;
-        st->index_entries = av_malloc(total*sizeof(*st->index_entries));
-        if (!st->index_entries)
+        mem = av_realloc(st->index_entries, (st->nb_index_entries + total) * sizeof(*st->index_entries));
+        if (!mem)
             return;
-        st->index_entries_allocated_size = total*sizeof(*st->index_entries);
+        st->index_entries = mem;
+        st->index_entries_allocated_size = (st->nb_index_entries + total) * sizeof(*st->index_entries);
 
         // populate index
         for (i = 0; i < sc->chunk_count; i++) {
@@ -2831,7 +2834,7 @@ static int mov_read_packet(AVFormatContext *s, AVPacket *pkt)
 
     pkt->stream_index = sc->ffindex;
     pkt->dts = sample->timestamp;
-    if (sc->ctts_data) {
+    if (sc->ctts_data && sc->ctts_index < sc->ctts_count) {
         pkt->pts = pkt->dts + sc->dts_shift + sc->ctts_data[sc->ctts_index].duration;
         /* update ctts context */
         sc->ctts_sample++;