Merge commit '159993acc7f4e3155510d42c543e09fe972b933c' into release/0.10

* commit '159993acc7f4e3155510d42c543e09fe972b933c':
  vc1dec: Fix leaks in ff_vc1_decode_init_alloc_tables on errors
  wnv1: Make sure the input packet is large enough
  dca: Validate the lfe parameter
  rl2: Avoid a division by zero
  wtv: Add more sanity checks for a length read from the file
  segafilm: Validate the number of audio channels
  qpeg: Add checks for running out of rows in qpeg_decode_inter
  mpegaudiodec: Validate that the number of channels fits at the given offset
  asv1: Verify the amount of extradata
  idroqdec: Make sure a video stream has been allocated before returning packets
  rv10: Validate the dimensions set from the container
  xmv: Add more sanity checks for parameters read from the bitstream
  ffv1: Make sure at least one slice context is initialized
  truemotion2: Use av_freep properly in an error path

Conflicts:
	libavcodec/qpeg.c
	libavcodec/wnv1.c
	libavformat/wtv.c
	libavformat/xmv.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>

1 files changed, 6 insertions, 1 deletions

diff --git a/libavformat/wtvdec.c b/libavformat/wtvdec.c
index 3980aca154..fb768d1244 100644
--- a/libavformat/wtvdec.c
+++ b/libavformat/wtvdec.c
@@ -258,7 +258,12 @@ static AVIOContext * wtvfile_open2(AVFormatContext *s, const uint8_t *buf, int b
         dir_length  = AV_RL16(buf + 16);
         file_length = AV_RL64(buf + 24);
         name_size   = 2 * AV_RL32(buf + 32);
-        if (buf + 48 + name_size > buf_end) {
+        if (name_size < 0) {
+            av_log(s, AV_LOG_ERROR,
+                   "bad filename length, remaining directory entries ignored\n");
+            break;
+        }
+        if (48 + name_size > buf_end - buf) {
             av_log(s, AV_LOG_ERROR, "filename exceeds buffer size; remaining directory entries ignored\n");
             break;
         }