Merge commit '993977032a0adb47eb70e7fef6ce0d5370027e83' into release/0.10

* commit '993977032a0adb47eb70e7fef6ce0d5370027e83':
  xan: Use bytestream2 to limit reading to within the buffer
  pcx: Consume the whole packet if giving up due to missing palette
  pngdec: Stop trying to decode once inflate returns Z_STREAM_END
  mov: Make sure the read sample count is nonnegative
  bfi: Add some very basic sanity checks for input packet sizes

Conflicts:
	libavformat/mov.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>

2 files changed, 8 insertions, 0 deletions

diff --git a/libavformat/bfi.c b/libavformat/bfi.c
index 35a6a51f04..37a15c9b68 100644
--- a/libavformat/bfi.c
+++ b/libavformat/bfi.c
@@ -130,6 +130,10 @@ static int bfi_read_packet(AVFormatContext * s, AVPacket * pkt)
         video_offset    = avio_rl32(pb);
         audio_size      = video_offset - audio_offset;
         bfi->video_size = chunk_size - video_offset;
+        if (audio_size < 0 || bfi->video_size < 0) {
+            av_log(s, AV_LOG_ERROR, "Invalid audio/video offsets or chunk size\n");
+            return AVERROR_INVALIDDATA;
+        }
 
         //Tossing an audio packet at the audio decoder.
         ret = av_get_packet(pb, pkt, audio_size);
diff --git a/libavformat/mov.c b/libavformat/mov.c
index efa73b7c6d..4cb456744f 100644
--- a/libavformat/mov.c
+++ b/libavformat/mov.c
@@ -1711,6 +1711,10 @@ static int mov_read_stts(MOVContext *c, AVIOContext *pb, MOVAtom atom)
             av_log(c->fc, AV_LOG_ERROR, "Invalid SampleDelta in STTS %d\n", sample_duration);
             sample_duration = 1;
         }
+        if (sample_count < 0) {
+            av_log(c->fc, AV_LOG_ERROR, "Invalid sample_count=%d\n", sample_count);
+            return AVERROR_INVALIDDATA;
+        }
         sc->stts_data[i].count= sample_count;
         sc->stts_data[i].duration= sample_duration;