-- ffmpeg project total bugs found by j00ru & gynvael and fixed:
-> 666

-- git logs with bug fixes
commit 4f1279154ee9baf2078241bf5619774970d18b25
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Feb 13 01:03:30 2013 +0100

    shorten: dont leave invalid channel counts in the context.
    
    Fixes freeing invalid addresses
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit e1219cdaf9fb4bc8cea410e1caf802373c1bfe51
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Feb 12 23:40:24 2013 +0100

    tiff: Check buffer allocation and pointer increment more carefully in shorts2str() and double2str()
    
    Fixes out of array accesses
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 6f9ae391deeab618fc9c0080d05b97afa29ddf81
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Feb 12 22:14:50 2013 +0100

    faxcompr: Dont read ref when the end has been reached in pass mode
    
    Fixes reading over the end
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 1ac0fa50eff30d413206cffa5f47f7fe6d4849b1
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Feb 12 19:53:40 2013 +0100

    pngdec/filter: dont access out of array elements at the end
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 5260edee7e5bd975837696c8c8c1a80eb2fbd7c1
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Feb 12 02:03:28 2013 +0100

    sanm: Use the correct height variable in the decoded_size checks
    
    Fixes integer overflow and out of array accesses
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 365270aec5c2b9284230abc702b11168818f14cf
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Feb 12 01:09:03 2013 +0100

    sanm: add forgotten check for decoded_size in old_codec37()
    
    Fixes out of array accesses
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 0e3dacb11eacf6a944691bb4a12f4dd56b6d7ce6
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Feb 10 20:24:22 2013 +0100

    tiff: dont leave geotag_count in an invalid state on errors.
    
    Fixes out of array reads
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit f28043d0a34aaf4ac7cf25bd0dddd868811c0ab2
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Feb 10 20:17:33 2013 +0100

    tiff: check for failure in search_keyval()
    
    Fixes null pointer dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 478fc7f57bac966fcd916419336b349028c549ec
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Feb 10 18:31:05 2013 +0100

    pictordec: fix cga palette index limit
    
    Fixes out of array read
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit ea1d8465e6eca582c09e2526f677033b62576fda
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Feb 10 18:15:33 2013 +0100

    Fix division by 0 due to audio frame size
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit cb85779d459c6486acbbf060b3f169779424583e
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Feb 10 17:54:00 2013 +0100

    dpx: include offset in the  total_size calculation
    
    Fixes out of array reads
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit d24de4596c3f980c9cc1cb5c8706c8411e46275b
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Feb 10 17:19:35 2013 +0100

    pcx: Add missing padding to scanline buffer
    
    Fixes out of array read
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 6462268e74fa2c935c2936904cc1da9f499c04f3
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Feb 10 16:52:04 2013 +0100

    pcx: fix rounding in bytes_per_scanline check
    
    Fixes out of array reads
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 796012af6c780b5b13ebca39a491f215515a18fe
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Feb 9 20:49:32 2013 +0100

    targa: Fix y check in advance_line
    
    Fixes out of array accesses
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit b5fc95e77f9e154978d914548b86a8bc9fd1d0f2
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Feb 9 18:40:12 2013 +0100

    motionpixels: Check that the vlc table has been fully inited
    
    Fixes out of array reads
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 4401958fdc9abd3551dd1903bd6d30890329b448
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Feb 9 18:37:53 2013 +0100

    motionpixels: Propagate errors in vlc table init
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

commit 695af8eed642ff0104834495652d1ee784a4c14d
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Feb 2 21:11:54 2013 +0100

    h264: skip error concealment when SPS and slices are mismatching
    
    Fixes out of array accesses
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit cdf0877bc341684c56ac1fe057397adbadf329ee
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Jan 31 04:20:24 2013 +0100

    h264/cabac: check loop index
    
    fix out of array read
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit fe6767f849d9cfe51f422de9d807137d756de7aa
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Jan 31 03:36:59 2013 +0100

    asfdec: fix integer overflow in packet_replic_size check
    
    Fixes assertion failure
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 9df9420dea0fc4c523dabc1bb6186c98885bdd9f
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Jan 31 00:45:24 2013 +0100

    interplayvideo: Free previous frames on resolution changes.
    
    Fixes out of array reads
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit a084884b628fd9cbfe965b7ac37e59202d708c26
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Jan 30 23:45:01 2013 +0100

    flashsv: clear blocks array on reallocation
    
    Fixes use of uninitialized data
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 984add64a41c3296a8a82051cc90bff2eb449609
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Jan 30 22:56:45 2013 +0100

    wma: check byte_offset_bits
    
    Fixes assertion failure
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 4a2da83a787b24c4027aa963d9db9b453e91f413
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Jan 30 19:31:45 2013 +0100

    dnxhddec: fix integer overflow / index check
    
    Fixes out of array read
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit b926cc7834d5bc998775528097831c0fbcf3730a
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Jan 30 18:12:42 2013 +0100

    mss3: prevent AC state from becoming invalid in rac_normalise()
    
    Fixes division by zero
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit dc8dd2f6e972985f3ed237019bc7c70731af8148
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Jan 29 22:35:37 2013 +0100

    sanm: Check MV before using them.
    
    Fixes out of array reads
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit f67a0d115254461649470452058fa3c28c0df294
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Jan 29 17:56:19 2013 +0100

    huffyuvdec: Check init_vlc() return codes.
    
    Prevents out of array writes
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit df92ac18528bac4566fc4f5ba4d607c1265791ea
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Jan 29 16:57:22 2013 +0100

    r3d: fix division by 0 with 0 sample rate
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 11c99c78bafa77f679a1a3ba06ad00984b9a4cae
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Jan 29 04:17:48 2013 +0100

    h264: check the pixel format directly and force a reinit on mismatches.
    
    The existing checks are insufficient to detect a pixel format
    changes in case of some damaged streams.
    Fixes inconsistency and later out of array accesses
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 3939b790f2eb1d747a1ca80c4db4e2a145812af4
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Jan 28 23:12:24 2013 +0100

    wmavoicedec: use the checked bitstream, reader
    
    Fixes out of array reads
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 14c8ee00ffd9d45e6e0c6f11a957ce7e56f7eb3a
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Jan 28 22:43:30 2013 +0100

    vp3dec: move threads check out of header packet type check
    
    Prevents reconfiguration with threads which is unsupported
    and would bring the contexts into an inconsistent state.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 94ef1667bb04ed81ff10f7ba4b8d7e54bd8bc76b
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Jan 28 20:40:13 2013 +0100

    dirac/x86: Fix handling blocksizes that are not a multiple of 4
    
    Fixes out of array accesses
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 8c4aebb58d00fd613f3f684bf0f869966149ae78
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Jan 28 19:34:55 2013 +0100

    qdm2: increase noise_table size
    
    This prevents out of array reads. An alternative solution would be
    to check the index but this would require several checks in the
    inner loops
    
    Yet another alternative would be to change the index reset logic
    but this likely would introduce a difference to the binary decoder
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 4ade824e1f6a27f2357098d8e7e615f1b524a588
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Jan 27 23:45:44 2013 +0100

    mjpegdec: rgb mode is specific for ljpeg, disable it for others.
    
    Fixes null pointer dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 8888c72fcfe1419668cc41dca4399374e6c09680
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Jan 27 21:52:24 2013 +0100

    mjpegdec: fix memcmp size for *_count
    
    Fixes assertion failure
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit deefdf9788467edd262b9c29a4f6e33d2ae84b8c
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Jan 27 21:17:32 2013 +0100

    avpriv_mpeg4audio_get_config: check init_get_bits() return code.
    
    Fixes null pointer dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 96f452ac647dae33c53c242ef3266b65a9beafb6
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Jan 27 20:37:27 2013 +0100

    aacdec: check channel count
    
    Prevent out of array accesses
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit f9abeecd94cfa335bf43e2a19b60fb990a46644f
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Jan 27 05:57:58 2013 +0100

    swr/ build_filter: use av_calloc() fix buffer overflow
    
    Fixes integer & buffer overflow
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 5de286ef88befc23959d345c12d27a76095b8b0e
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Jan 27 02:14:38 2013 +0100

    mvdec: check var_read_string() return value
    
    Prevent null pointer dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 362271d72fc38cd1f4b076aff9a12b1104c26760
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Jan 27 02:08:22 2013 +0100

    mvdec: Check the frame counter against the correct limit.
    
    fixes out of array reads
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit c8f25cafd2f23662bcb1e62965c0c42d6989688a
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Jan 26 04:27:23 2013 +0100

    atrac3: fix buffer size for get_bits.
    
    Fixes out of array reads
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 66daebc9d50d8095bb067138168e57b6a1880a19
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Jan 26 03:17:19 2013 +0100

    indeo4: check for invalid transform_size blk_size combinations
    
    The checks existing previously where not sufficient
    Fixes out of array accesses
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 53a3fdbfc56da54b2c0a44eb1f956ec9d67d1425
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Jan 26 02:03:05 2013 +0100

    4xm: Check available space in read_huffman_tables()
    
    Fixes integer overflow and out of array accesses
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit ab6c9332bfa1e20127a16392a0b85a4aa4840889
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Jan 25 06:11:59 2013 +0100

    vqavideo: check chunk sizes before reading chunks
    
    Fixes out of array writes
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit e9d443cf08503f7bd0149576ba9e891322de340d
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Jan 25 00:41:16 2013 +0100

    eacmv: Free frames on resolution changes
    
    Fixes out of array reads
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 286930d302fd34cfc2541bfdd760a8bbf9f2d2e5
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Jan 25 00:03:59 2013 +0100

    gifdec: check that w,h is not zero
    
    Fixes out of array access
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit c10350358da58600884292c08a8690289b81de29
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Jan 24 23:11:10 2013 +0100

    gifdec: gif_copy_img_rect: Fix end pointer
    
    Fixes out of array accesses
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 46cb61819d867961e8f2052a8f13bcf2027d484f
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Jan 24 04:17:58 2013 +0100

    gifdec: check that the last keyframe exists and has been successfully parsed.
    
    Prevents inconsistent state and null pointer dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit b53ed19aa74c447ca245702e2460534509be58fa
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Jan 24 04:02:14 2013 +0100

    lcldec: Check length before unsigned subtraction.
    
    Fix integer overflow and out of array read
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 69fb605ad5e0f1384ca4d06d38ce0f1b6c8c286d
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Jan 24 02:51:12 2013 +0100

    mpc8: check stream count before accessing stream 1.
    
    Fixes null pointer dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit ee9151b616fa7fa5e9b3258ecafd00c9f784baaa
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Jan 24 01:25:02 2013 +0100

    ff_mss12_decode_init: check dimensions
    
    Fixes assertion failure
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 7357ca900efcf829de4cce4cec6ddc286526d417
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Jan 24 00:27:10 2013 +0100

    sanm: Check decoded_size.
    
    This prevents a buffer overflow in rle_decode()
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 713dea584b118bc48803266edc8e9b380f78a778
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Jan 23 05:09:43 2013 +0100

    truemotion2: use av_mallocz()
    
    Fixes use of uninitialized values.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit e49c2aab80cb7e6c85642cc4afd0ea471d6ef4b1
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Jan 23 04:41:41 2013 +0100

    truemotion2: clear the token array if its initialization fails.
    
    Fixes use of uninitialized and half initialized values, which
    can occur on several error pathes
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit b89815f5199fd5e9a2d21417f827bf7c57244e84
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Jan 22 23:05:53 2013 +0100

    mvdec: check channel count.
    
    Fixes division by 0
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 4c9f35bb7c94d20455d3fca3a184b892f1a0aa4e
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Jan 22 22:40:38 2013 +0100

    mvdec: use avpriv_set_pts_info() instead of directly setting tb.
    
    Fixes division by 0
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 1bb05797ec27a0a2b921c18466f898b23c4a9740
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Jan 22 22:28:41 2013 +0100

    sanm: remove "duplicate" for loop.
    
    Fixes input buffer overread
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 49b729d3af8464de431362e6c5b3027102bc2f88
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Jan 22 21:30:20 2013 +0100

    sanm: check image dimensions before using them
    
    Avoids integer overflows and out of array accesses.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 96d1b7ffcab46dc40bd41afd7833a3380c53709c
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Jan 19 06:18:24 2013 +0100

    h264: unmark frames at the end
    
    Fixes assertion failure
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit d270c3202539e8364c46410e15f7570800e33343
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Jan 18 01:28:44 2013 +0100

    avcodec_decode_audio: do not trust the channel layout, use the channel count.
    
    Fixes memory corruption
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 4aed4f58465fa0d6940ce72c0dad90caab3ed36e
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Jan 18 00:22:39 2013 +0100

    mlpdec: dont leave a invalid huff_lsb in the context.
    
    Fix assertion failure
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit e1d7d4bd13cdd8856a3611d1ea387ac733a7aebf
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Jan 17 22:45:12 2013 +0100

    mpegvideo: reset context state on failed thread update.
    
    Fixes assertion failure
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 97d190283ee233e32b805e57434adfac64dabc17
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Jan 17 00:00:34 2013 +0100

    h264: always copy linesizes in thread update
    
    Fixes inconsistencies in context
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit f674cc776f201973c81c5c44d72f164d2bc029c1
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Jan 17 00:00:34 2013 +0100

    h264: always copy block_offset in thread update
    
    Fixes out of array accesses
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 31c4a1b7d0a052f9717185900e01c2500b55e51b
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Jan 16 04:46:20 2013 +0100

    h264: do not mess up cur_chroma_format_idc during thread update
    
    Fixes out of array reads
    Regression probably since allowing pixel format changes or a related commit
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 8ac8f04993e5ff53a9c799d72c3085c77c228134
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Jan 15 04:58:22 2013 +0100

    mpegvideo: Fix long standing race condition with frame threads
    
    Since resolution change support this also was exploitable, which is
    how it was found.
    
    Fixes read after free and out of array reads.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 59d5680310084398dc6eb8fa62d56a7d1c9b85e0
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Jan 13 23:44:01 2013 +0100

    h264: Fix assignments in if()
    
    Fixes null pointer dereference later, since if this function failed,
    a positive return value was returned to the caller.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Martin Storsjö <martin@martin.st>

commit aaa7d2fafcc375d8cdef25a289008821c9c2fbaa
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Jan 14 02:54:16 2013 +0100

    h264: don t leave stale pointers in delayed_pic in flush_changes.
    
    Fixes null pointer dereference & assertion failure
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit c13e4e288c84ba0629ead15e1460c0e498ee2bce
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Jan 13 23:44:01 2013 +0100

    h264: fix () placement
    
    Fixes null pointer dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit a6e4796fbf0aa9b13451a8ef917ecc4e80d1d272
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Jan 13 05:42:01 2013 +0100

    pthread: Do not use a half updated context as master for deallocation.
    
    Fixes assertion failure
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit d9226b3717fda04c5cde8f51c4dc85fa735b1909
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Jan 12 04:45:21 2013 +0100

    mpegvideo: dont leave stale pointers in next/last picture
    
    Fixes out of array reads
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit cc548ea7a60355e15ed78431a55a896db074aa11
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Jan 12 03:40:54 2013 +0100

    vc1dec: ensure cbpcy_vlc has been set before decoding a frame.
    
    Fixes null pointer dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit b53adef07b9b3c6f255b43815e26eb21508bacc5
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Jan 11 23:12:27 2013 +0100

    h264: reset first_field when current_picture_ptr is reset
    
    Fixes NULL pointer dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 969e75eb80dad51481152f868dafa802579a19aa
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Jan 11 18:19:53 2013 +0100

    mjpegdec: Fix out of array read in unescaping code
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit e5e422bcc3e6deee8c5c5bf8f5aeca2c051542f5
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Jan 8 02:43:14 2013 +0100

    mxfdec: Fix integer overflow with many channels
    
    Fixes division by zero
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Reviewed-by: Matthieu Bouron <matthieu.bouron@gmail.com>
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 8d06be6b8ce7f411f0b1a614cad88a9719a21a5a
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Jan 11 16:36:52 2013 +0100

    wavpack: check pointer to avoid overreading input buffer
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 23318a57358358e7a4dc551e830e4503f0638cfe
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Jan 11 04:44:20 2013 +0100

    error_concealment: Check that the picture is not in a half setup state.
    
    Fixes state becoming inconsistent
    Fixes a null pointer dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 8b47058c61af83c28231b860d46ee754ed7a9310
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Jan 11 02:51:27 2013 +0100

    ass_split: fix out of array access in ass_split()
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 97b1ba696baa1bb87415bad244533ac2beaf3568
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Jan 11 02:31:04 2013 +0100

    ass_split: fix out of array access
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 6471f63da2e9c9cd289b66566428f8c0c538b9c1
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Jan 10 04:50:33 2013 +0100

    wmalosslessdec: make arrays indexed by ch large enough for maximum number of channels
    
    Fixes out of array accesses
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 7cb46b519103ed62edbb992abfe564971043e5d9
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Jan 10 04:37:45 2013 +0100

    targa: use checked bytestream read
    
    Fix out of array read
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 2b12d1ffd841cf57976b124c1882e4a23a7c5f61
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Jan 10 04:23:14 2013 +0100

    qdm2: fix out of stack array read.
    
    The read value is not used when its outside the array.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 1a088f61e1b8d620c313c47d861a1a4b29fd7156
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Jan 8 02:52:15 2013 +0100

    oggparseskeleton: Check the overall start time before using it.
    
    Fixes division by zero
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 4c80184cf5425f11c45ff91f669a1be9cf6d32cd
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Jan 8 02:30:02 2013 +0100

    mjpegdec: allow 2 components in ljpeg_decode_yuv_scan()
    
    Fixes assertion failure
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 953061ed9537f2eecd814842aca6a6fdf8118385
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Jan 8 00:24:46 2013 +0100

    lavf/utils: more complete dts checks
    
    Fixes division by zero
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 3b57bb478ff4455773378355e285877d757e151e
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Jan 7 23:42:35 2013 +0100

    svq1dec: check that the reference frame matches in size before using it.
    
    Fixes out of array reads
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 0780fe27404c24d58bf9b2a3b928d885772bc702
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Jan 7 21:31:40 2013 +0100

    rmdec: Limit videobufsize to remaining amount of data
    
    Fixes excessive memory allocation
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit f65daf577af25df69f3b43a49879158d2f77f3f8
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Jan 7 21:16:23 2013 +0100

    rv10: always check direct mode interpolation times.
    
    Fixes Division by 0
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit ed2d7d5868a4a5d914f1e5488d63ea696a3b2937
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Nov 18 18:46:05 2012 +0100

    ff_h264_direct_ref_list_init: fix B slice check.
    
    Fixes null pointer dereference.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

commit 1d29624c73fde14a987735b3d4df8d005caebb58
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Dec 17 20:51:07 2012 +0100

    oggparsevorbis: check channels
    
    Fixes out of array accesses
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 7973a07590f2b376b5453c4553bec97a800182ab
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Dec 17 00:48:33 2012 +0100

    h264: Improve first slice and slice type checks
    
    This prevents a null pointer dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit d7599bd8e240b923486bd130a33d38f66bb14eae
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Dec 15 23:33:20 2012 +0100

    h264: dont mess with frame gaps on second fields.
    
    Fixes assertion failure
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 2b643855e0244b448fdc37f8dfa2fc4033643037
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Dec 15 16:03:19 2012 +0100

    dirac_parser: check prev_pu_offset before using it
    
    Fixes out of array read
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit b6671787db5b5d53e065f88e52a35d94cb50504c
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Dec 15 00:19:20 2012 +0100

    flashsv2_prime: check block before using it.
    
    Fixes null pointer dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 02d6d053396626ff5b3390e48a9933e0d4164b28
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Dec 14 23:37:14 2012 +0100

    dcadec: check xch_base_channel against channel_order_tab.
    
    Fix null pointer dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 51fcf276f8ce66be530549da6b8d96a4bd3087aa
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Dec 14 21:50:23 2012 +0100

    mp3on4: fix null pointer dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit a99c273a3f91c3fd616b718c34a5848411ce0258
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Dec 14 20:57:25 2012 +0100

    dnxhddec: fix CID changed check.
    
    Fixes Null pointer dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 6ca2465556836d20ab9ea5689960fbf1fbda0e23
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Dec 14 18:10:19 2012 +0100

    ass_split_section: dont overread array
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit b2c2589ecf87e6d42d4134e726552a35b2820e09
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Dec 14 17:55:25 2012 +0100

    westwood_vqa: fix null pointer dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit a974adc3c78c4bcf62dd2a10ff1ae8eae6fa29ef
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Dec 14 01:12:56 2012 +0100

    g729dec: check pitch_delay_int.
    
    Fix out of array read
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 56d09250ef44eebd04f6d4cf6c6f5bfbe46b01dc
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Dec 14 00:30:34 2012 +0100

    nuv: dont try to copy an empty frame
    
    Fixes assertion failure
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit f18c873ab5ee3c78d00fdcc2582b39c133faecb4
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Dec 12 17:14:32 2012 +0100

    adpcm: fix off by 1 error and out of array access in DK4
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 03b9d4a7dc7cb399587b6148617cef59b36b3a4b
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Dec 12 16:56:10 2012 +0100

    msmpeg4dec: fix coeff index
    
    Fixes assertion failure
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 028cc42a1638e6f93a857f11c2568d1c3a51e612
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Dec 12 14:27:46 2012 +0100

    read_gab2_sub: fix null pointer dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 5a4eb6aa275e4c1b80e1e125a7901903e35219f2
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Dec 12 14:09:19 2012 +0100

    avfilter_get_video_buffer_ref_from_frame: check channel count
    
    more than 8 channels is not supported and crashes with null pointer dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 0ceca269b66ec12a23bf0907bd2c220513cdbf16
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Dec 12 12:28:45 2012 +0100

    alsdec: check block length
    
    Fix writing over the end
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 75b3911e5a6d8f504723303444f534878e09a954
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Dec 12 11:35:31 2012 +0100

    mxf_set_audio_pts: fix division by 0
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit a0f659b27575de81549e524d13457554b9095ac8
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Dec 12 11:20:55 2012 +0100

    oggspeexparse: fix array overread
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 2fb240ddb6963257c57394dd0d35d1a41ba517d7
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Dec 12 01:21:24 2012 +0100

    ac3dec: fix out of array read
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit a202541f9b4da3e489716198dd3547ec7f73ef1d
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Dec 12 00:11:15 2012 +0100

    cafdec: Check duration before use.
    
    Fix division by 0
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 99a8552dae54fd464f19a00d9e5b92596c5c058a
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Dec 12 00:00:25 2012 +0100

    bfi: fix division by 0
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit c3bb3334f6837025fb23d5bcd29ba094aa368c6b
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Dec 10 20:51:32 2012 +0100

    h264: dont try to allocate scratchpad if linesize is not known
    
    Fixes out of array access
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 9f92e590ba91faa1283b1a9a35dd7e43c5bd998b
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Dec 8 05:23:06 2012 +0100

    mxfdec: fix double free
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit e8ca7cfa4f4207be9b07e6135e6ba7a95ba89aa8
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Dec 9 05:04:05 2012 +0100

    h264: avoid calling idr() twice
    
    Fixes rare race condition leading to null pointer dereferences.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit ea6da80cb41af9e854822d72b5dbe92ea5ca9909
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Dec 7 04:25:17 2012 +0100

    diracdec: check dimensions against chroma format.
    
    Fixes out of array reads
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 2f6ec9fdd7808c8ed045ae0ca4134ab21fb785e6
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Dec 7 00:42:44 2012 +0100

    diracdec: Test mctmp and mcscratch for malloc failure.
    
    Fixes null pointer dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit b84d1bf193d2af5e06979db12ffa0dedaa6c8ea1
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Dec 7 00:27:08 2012 +0100

    diracdec: fix emulated_edge condition, fix out of array reads
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit bde6f6eadc24b372c12da2894f2ee0b86b5ff6a3
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Dec 5 23:16:21 2012 +0100

    vc1dec: prevent v_edge_pos from becoming negative.
    
    Fixes assertion failure
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 09de0ffeab37442d1a31ee194ea6d78a67186de1
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Dec 5 05:47:37 2012 +0100

    vc1dec: Fix null pointer dereference in vc1_decode_skip_blocks()
    
    This handles the last frame being unavailable like all the other
    code in vc1dec.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 9db3fb6ed8d35ae02a1d3c322777bd45bb4579c9
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Dec 5 04:38:57 2012 +0100

    oggdec: prevent codec from changing through ogg_replace_stream()
    
    This prevents inconsistencies leading to out of array accesses.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 599ae9995f2e66803431e9d87fab2e650f23229e
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Dec 5 03:14:03 2012 +0100

    ff_emulated_edge_mc: fix handling of w/h being 0
    
    Fixes assertion failure
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 5e1bacf2d49622f7ba4245f140b7be35972c0529
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Dec 4 03:30:40 2012 +0100

    matroskadec: reset size when freeing data.
    
    Fixes null pointer dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 4c160b68cca2001101b3286877bf286ff0dd7873
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Dec 3 17:27:19 2012 +0100

    ff_mp4_read_dec_config_descr: check that the codec is not open
    
    Fixes out of array accesses
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 9c208b404cbd56ee4e217aa20e7e09ebfa21cfd5
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Dec 3 01:26:23 2012 +0100

    vp56: Ignore reconfiguration from the alpha plane.
    
    Fixes out of array reads
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit ec79b1fc88b2cc6a9ab6cd953efcdbaebedde233
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Dec 2 22:36:15 2012 +0100

    wtvdec: fix null pointer dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 936eaa89be5de0eada9d188777427b97e568422a
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Dec 2 20:36:32 2012 +0100

    h264: check for integer overflow, fix null pointer dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit b61ba262a1e275f8129b7383d70fe48051b47fcf
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Dec 2 04:21:42 2012 +0100

    mpc8: check seektable size before attempting to use it.
    
    Fixes null pointer dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit ff7e2342bbc96ebc0fc51c19ee212ad160f83216
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Dec 2 04:00:50 2012 +0100

    dcadec: fix reading from prior to an array
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 77693c541a541661357a0edd5bbaae69c64b2039
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Dec 1 23:20:48 2012 +0100

    xxan: more complete ybuf checks, fix out of array accesses.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit aae478036223ae16c24b9890d087feda2efbe38a
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Dec 1 22:09:14 2012 +0100

    vmnc: Check for integer overflow
    
    Fixes null pointer dereference and potential out of array accesses.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 3b2cd83a829e01a603b52fdc058a054b7899d06e
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Dec 1 21:42:02 2012 +0100

    dcadec: check lfe field
    
    Fix out of array accesses
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 873049e6d854a69292934eb882731dd2ad7438b9
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Dec 1 20:15:02 2012 +0100

    mxfdec: check index_tables before dereferencing in close.
    
    Fixes null pointer dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 7389bb12e6b3ec3660592fde370d9dd4fe816d2b
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Dec 1 19:16:19 2012 +0100

    svq1dec: update w/h only if the header is successfully parsed.
    
    Prevents inconsistency and out of array accesses.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit f0695b09dd479e9f20e522417a46a6132c391a1c
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Dec 1 02:36:01 2012 +0100

    pcmdec: check codec_id
    
    Fixes out of array accesses
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit b90e795f737c5efb9f65869b304e87a0985b046d
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Dec 1 00:29:39 2012 +0100

    check std tag size before reading.
    
    Fixes out of array read
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit a7ee6281f7ef1c29284e3a4cadfe0f227ffde1ed
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Nov 30 23:59:40 2012 +0100

    qdm2: check array index before use, fix out of array accesses
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 991e23519ac53adc624338b3a7628c9c289268cb
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Nov 30 19:24:56 2012 +0100

    aacps: check iid/icc_par more completely.
    
    Fixes global out of array read.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 7205e896a1ceb0e5c0256ed9cc1f69cf1fe664d4
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Nov 30 20:58:26 2012 +0100

    dxa: check reference frame availability before use.
    
    Fix NULL pointer dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 2c69fcc2ffe671649e56dc981e9f4cd9d46a61be
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Nov 30 16:00:07 2012 +0100

    smacker: more complete vlc length check, fixes out of array read
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit a2f680c7bc7642c687aeb4e14d00ac74833c7a09
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Nov 30 03:58:38 2012 +0100

    mjpegdec: check h/v_count, fix context becoming inconsistent and causing out of array accesses.
    
    This also fixes a long standing comment in the code.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 0b28abf903cd1fd61ba4a06009cd2cb7cc40e6e0
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Nov 29 23:10:03 2012 +0100

    vble: check packet size.
    
    Fixes null pointer dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 10416a4d56fa8a89784e4fb62099c3cab17a9952
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Nov 29 22:57:39 2012 +0100

    id3v2: check index against buffer size. Fix out of array access
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 6abb9a901fca27da14d4fffbb01948288b5da3ba
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Nov 29 15:56:05 2012 +0100

    huffyuvdec: check width more completely, avoid out of array accesses
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 27eada287af5505a93a4b9410412c0a916117731
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Nov 29 15:34:29 2012 +0100

    tiffdec: better checks for bitstream offsets, fixes out of array reads
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 3ae610451170cd5a28b33950006ff0bd23036845
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Nov 29 15:18:17 2012 +0100

    roqvideodec: check dimensions validity
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit c1fcf563b13051f280db169ba41c6a1b21b25e08
Author: Janne Grunau <janne-libav@jannau.net>
Date:   Wed Nov 28 22:17:14 2012 +0100

    h264: check context state before decoding slice data partitions
    
    Fixes mov_h264_aac__Demo_FlagOfOurFathers.mov.SIGSEGV.4e9.656.
    
    Found-by: Mateusz "j00ru" Jurczyk
    CC: libav-stable@libav.org

commit cf5f4c5169639349262aa221ae485a0de188afb1
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Nov 20 03:20:43 2012 +0100

    aacsbr: check sample_rate before using it, fix division by 0
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit aed128f07d142a7afc51f1f0c572a31b3b9bc2a6
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Nov 20 02:59:55 2012 +0100

    4xmdec: fix integer overflow, null ptr dereference
    
     Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit c44a028e19c89671dbd614c283f7e5fe2f555139
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Nov 19 15:55:23 2012 +0100

    af_aresample: allocate at least 1 sample buffer. Fix null ptr dereference.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit fdbb6164a208df6d2665453da6d18d2cda13189b
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Nov 19 05:01:01 2012 +0100

    sbr: increase f_tablelim size, it appears it was too small by 1.
    
    Prevent out of array accesses.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit ba353436a375b92659366aeec8c0139da08f8a0b
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Nov 19 03:37:59 2012 +0100

    h264: dont stop parsing NALs without cleanup on DPC.
    
    Fixes a deadlock with frame threads
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 24c043c98ef22b9d4aa7a54ec5f1cebd21042dd7
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Nov 19 01:36:55 2012 +0100

    mpegvideo: increase MAX_PICTURE_NUMBER.
    
    avoid abort().
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit e8fed4d3314cdf0cf4134844a1acf5798b205cb8
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Nov 18 22:51:54 2012 +0100

    error concealment: check that references are frames and not fields.
    
    frames cant have field references.
    Fixes a deadlock
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 8a03a60b4af46c001d5686b9303f48f6c4ebdf6c
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Nov 18 21:36:06 2012 +0100

    h264: Check gray scale CBP, fix out of array accesses.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 36cf247e4302afcb09e995ad1c594d97897d17ba
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Nov 18 18:46:05 2012 +0100

    ff_h264_direct_ref_list_init: fix B slice check.
    
    Fixes null pointer dereference.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit d6c184880ee2e09fd68c0ae217173832cee5afc1
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Nov 18 16:29:04 2012 +0100

    h264: correct ref count check and limit, fix out of array accesses.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 2d5f1addbec2a1184b4e3b56dbfcb5416401a44f
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Nov 18 15:23:54 2012 +0100

    h264: fix integer overflow, assert failure
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 4fecc3cf0998927456a9f8d8334587dd64154ec5
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Nov 18 14:23:06 2012 +0100

    h264: Skip odd NALs in extradata, prevent undefined behavior
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit dab19048a1fb8e722cd2029b63ce1fc9d84ff41e
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Nov 17 21:07:39 2012 +0100

    mjpegdec: reset h/v_count, fix assertion failure.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 845724c82c1a732ab398c9e8cedd178f96f1626d
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Nov 17 20:17:22 2012 +0100

    vcr1: check if dimensions are supported, fix out of array accesses.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit fb1ea777b3a01be6d71a103529ad37982707cacc
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Nov 17 19:56:26 2012 +0100

    electronicarts: check size before reading duration out of a chunk.
    
    Fixes null pointer dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit f96a653184e63cea91e08ea75ae60d309e431f40
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Nov 17 18:47:36 2012 +0100

    flvdec: disable hack that attempts to parse aac bitstream in the flv demuxer.
    
    I was unable to find a file that needs this hack, if you have one please
    contact us!
    Fixes out of array accesses.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 63ac64864c6e0e84355aa3caa5b92208997a9a8d
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Nov 17 16:26:55 2012 +0100

    eamad: fix out of array accesses
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 8ad9b48c9b5b749df8fbcd59d61278caadc478ca
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Nov 17 04:45:38 2012 +0100

    xxan: check ybuf index before use.
    
    Fixes out of array access
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 774830050aff71bcf02c68c0767f401240385842
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Nov 17 03:42:48 2012 +0100

    cook: check subbands more completely, fix out of array read.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 31fce399425b986557ab94a2dd8305b289710f0e
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Nov 17 01:09:20 2012 +0100

    tm2: check for invalid vlcs, fix out of array read
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 6535d81d8788a6eb758dd08330d4915c224fa5ee
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Nov 16 21:25:40 2012 +0100

    g723_1dec: Fix lsp2lpc() so it can handle values at the ends of the table.
    
    Fixes out of array reads
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 2207ea44fb4fad4d47646a789bc244e3e84c1726
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Nov 16 20:57:35 2012 +0100

    ff_emulated_edge_mc: fix integer anomalies, fix out of array reads
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 68def00a6330e46eea2ee6735fa4ae91317e8f5c
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Nov 16 03:46:35 2012 +0100

    rv34: check image size before using it
    
    fixes assertion failure
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 7845f8d282a98d5e01aaeddfa9af698697d8874d
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Nov 16 00:48:15 2012 +0100

    vc1dec: do not allow field_mode to change after the first header
    
    Fixes out of array accesses.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit e31b1938acbe8bd9c5e1dc4be674601ec6823bcf
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Nov 15 19:15:35 2012 +0100

    zmbv: avoid use of uninitialized data
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit c2409a7c5b1c1f43ee8b00c13ed41edc0321db0b
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Nov 15 17:44:18 2012 +0100

    vmdav: more complete check for block_align, prevent out of array access.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit c0d68be555f5858703383040e04fcd6529777061
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Nov 15 16:41:28 2012 +0100

    pgssubdec: check RLE size before copying. Fix out of array accesses
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit bc08ca841e66134a3b0d900cf152b4a263fa6545
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Nov 15 16:09:23 2012 +0100

    flashsv: reallocate block array independant of frame type.
    
    Fixes NULL pointer dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 17da2d9eee6bb3968522a2f1cdb54117260b6b7d
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Nov 15 12:20:45 2012 +0100

    swr: reorder/redesign operations to avoid integer overflow.
    
    This fixes a out of array read.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 62006b539ddda23594febf0fcb2f21c03de60457
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Nov 15 02:43:38 2012 +0100

    ituh263dec: more complete w/h check.
    
    Fixes a division by 0
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit caa2fa2c69e760b3dad6358178ccbad39ba8a268
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Nov 15 02:16:56 2012 +0100

    rv10: always check image size not just in some cases.
    
    Fixes division by 0
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit a3cb7f992f88fcfa524bd9cd08b28e09d6718f75
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Nov 15 00:56:33 2012 +0100

    xwma: check bytes_per_sample, fix division by 0.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 12eb2fd5394813a6119912b22f5dfc17b4a6b4a0
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Nov 15 00:42:49 2012 +0100

    dxa: dont try to use the previous frame if there is none.
    
    Fixes null pointer dereference.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit e70144cba13db208877e3b64802fc8835c72e82d
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Nov 14 23:24:05 2012 +0100

    bink: check quant_index, fix out of array read
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 612ecfbbbb3f4238d44cca5f250ffc6147d03ec2
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Nov 14 22:59:22 2012 +0100

    gifdec: check ff_lzw_decode_init() return value, fix out of array reads
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 50f0a6b4e64b78e0df1919ee1fa5e805309911c2
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Nov 14 21:14:40 2012 +0100

    wmaprodec: check num_sfb for validity. Fix out of array accesses
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 30bce34b6719ca99ad72c62e2fba3eade71f1eae
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Nov 14 19:15:32 2012 +0100

    vpriv_adx_decode_header: avoid underreading the array.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit ab8517b89196890ca9f9b1ccd70acec838a9129b
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Nov 14 19:03:07 2012 +0100

    vc1dec: require a minimum of 2x2 for the edge pos. Avoid assertion failure
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit ccce723c6d0ea1ea89ea6c47160a07d37cdeeba2
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Nov 14 17:34:37 2012 +0100

    vc1dec: check first field slices, fix out of array read.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 87d073eaccc00ef2909445ae4b25128c440d9efa
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Nov 14 14:07:58 2012 +0100

    mov: Dont try to calculate with unknown durations, fix division by 0
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 66ff90f4a3d81c25feaa672dc8cc9cc88017753d
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Nov 14 03:33:06 2012 +0100

    8bps: check index against buffer size before reading line length pointer.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 7acee6654ccdbadea62e700970f789478febaa0c
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Nov 14 03:17:13 2012 +0100

    mpeg12data: increase size of ff_mpeg1_default_intra_matrix to prevent harmless overreads from crashing
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit e1631f8ebe9a8f2a9cca85d60160b9be94eb63f3
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Nov 14 03:03:04 2012 +0100

    aasc: check before reading the first 4 byte, fix overread
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 39c5cd601ef09b1a540471960cb3a7e3ba17cb3c
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Nov 14 02:50:59 2012 +0100

    vmnc: check input size before reading chunk header, fix overread
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 2f74f8d7dce2baff3a4401130a8e479c2899fd16
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Nov 14 00:01:56 2012 +0100

    imc: sanity check scalefactors.
    
    This fixes undefined behavior
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 1f1960519a1700985b5f645a2950c10581f78a73
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Nov 13 23:03:38 2012 +0100

    lxfdec: fix "no audio stream" check. avoid null ptrs deref
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit af9ec3dd1d9e90ec8134b01074b7beb01a1beb1a
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Nov 13 22:20:44 2012 +0100

    av_probe_input_format3: support NULL as buffer. Fixes null ptr deref
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 001af703c6bff7cb8009db3ac882b8d929d67d9e
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Nov 13 22:07:39 2012 +0100

    alac: check channel count more completely, fix out of array read
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit b1191331363c444c0eaba0055cc7379221ddf8d7
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Nov 13 22:02:46 2012 +0100

    avrndec: calculate true_height only when used.
    
    Fixes division by 0
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 7373b3ad043cc3417d80c55ccdb620b08cd271bf
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Nov 13 21:43:37 2012 +0100

    pcmdec: consistently use codec_id, fixes out of array reads
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit eab022d863c8505ce7786c82f0e0c3a8f4eeb4bd
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Nov 13 19:48:03 2012 +0100

    mpegts: prevent freeing ones own section in pat_cb
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 4392e69ad4e45c3de4d9e28466530698ca704c51
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Nov 13 19:41:55 2012 +0100

    mov: check stps correctly, avoid overreading 1 element.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 3669915e93b3df63034857534245c3f2575d78ff
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Nov 13 19:37:47 2012 +0100

    dvdec: check ipcm more completely, avoid assert failure.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 7c76eaeca2791261d3f4f5c98c95f44abdbd879a
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Nov 13 19:21:29 2012 +0100

    mpeg4video_parser: init static tables before use, fix nulll ptr deref
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit c74cd99986fc8c148a10ebcf13ab2b8d8c6de561
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Nov 13 17:59:18 2012 +0100

    rv10: consider B frames in low delay streams invalid.
    
    Fix assertion failure
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit a0212ecf8452e9861286639543a772dc94f3ad07
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Nov 13 17:33:03 2012 +0100

    dcadec: check layout & channel count for consistency.
    
    Fixes out of array accesses
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 4facddd568b7b6c0014b4a0da157b8ba8f3e3b1a
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Nov 13 15:43:01 2012 +0100

    mpegts: dont set stream info when a decoder has already been opened.
    
    Fixes assertion failure.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 327cd0d09b459bcc9996cd864bf8569788d70b5b
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Nov 13 15:21:41 2012 +0100

    mpegts: prevent freeing ones own section in pmt_cb
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit d8a1eb11b72071ba88946191f8bc9701167d39a6
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Nov 13 01:12:26 2012 +0100

    wavpack: check the blocks sample count, fix out of array accesses
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit e9cb533fbb90c274cfed07b69ebf5c1989573e20
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Nov 13 00:21:59 2012 +0100

    flashv: check if keyframe is available, fix null deref.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 0a373c31cb7f8dae84857881cd7e3829a6483efe
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Nov 12 22:58:57 2012 +0100

    svq1dec: dont export the qscale table.
    
    SVQ1 has no qscales so the table is of no use, and it triggers a bug as
    SVQ1 does not maintain the size of the table properly causing a crash.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 7ab690bf5f4b24fca95113c0ee44f0847c9c3c6d
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Nov 12 21:50:20 2012 +0100

    indeo4: more complete check for the scan vs block sizes.
    
    Fixes out of array reads
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 0e239b22dbbe6808ac08ca72825f734076d4dc81
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Nov 12 20:42:33 2012 +0100

    xan: check size_segment before reading, fixes out of array read.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit a9456c7c5ca883b5a3947e59a9fba5587e18e119
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Nov 12 20:27:29 2012 +0100

    mjpegdec: tighten unescaped_buf_size size check, prevent null ptr deref
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit abe68364a3219f1a98c46bddea575e4cada147c7
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Nov 12 19:29:08 2012 +0100

    swfdec: check space before copy
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit d1493d2ce5f598016adff8cda8484529a560fb0d
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Nov 12 18:04:12 2012 +0100

    theora: check that pix fmt is valid, fix null ptr deref
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 9eef41b848939a0a86582afdb45235e41612d9ba
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Nov 12 17:35:01 2012 +0100

    lagarith: always allocate for 4 planes. Fixes out of array accesses
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit c433823750bf096187e70c22822431a7c0bb4202
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Nov 12 14:56:07 2012 +0100

    4xmdec: test version for cfrms, fix out of array accesses
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit be818df547c3b0ae4fadb50fd210139a8636706a
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Nov 12 14:42:45 2012 +0100

    wavpack: fix out of array access
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 3a04c18d899d278eea551c216e5117974063062b
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Nov 12 01:39:13 2012 +0100

    vc1dec: prevent null ptr dereferences.
    
    The added checks are in line with existing checks but should
    probably be replaced by more advanced error concealment at some
    point.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit b5f4836f8cb374f1a5ae45db48b61a1dfba0daad
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Nov 12 01:22:31 2012 +0100

    vc1: check image height, fix division by 0
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 8824a9ed2291d2b004dc641bd9ea8ad6f983466a
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Nov 11 23:24:54 2012 +0100

    mpeg12: clean current picture ptr.
    
    This avoids having a stray pointer left that may not represent the current picture
    and state.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 5aedee4facb2295cfdeaf322bc67fd15323862d9
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Nov 11 20:57:45 2012 +0100

    gxf: avoid null ptr deref without streams.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit c871244306f92fecaaed8a97f47ba54d46eb0cd5
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Nov 11 20:51:30 2012 +0100

    proresdec: check input size before reading qmats, prevent overreading.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 7faa17764ad8aa9919125834b97e7fb574af90d4
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Nov 11 19:46:16 2012 +0100

    dsicinav: update bitmap_frame_size, avoid out of array reads.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 26452e24ed1a93047226aed7830111abd24cfee3
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Nov 11 19:02:05 2012 +0100

    snow: fix edge emu switch
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit b7b7e2348c07498f373d3b14a13615de151b2e7e
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Nov 11 18:45:56 2012 +0100

    msmpeg4dec: check w/h, prevent assert failure later
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 192db16b9c202e8d037c4820b11e125d8010e7bc
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Nov 11 18:32:26 2012 +0100

    segafilm: fix division by 0
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit f1d6f013b2078140fb701978d720abecde7cd73f
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Nov 11 18:16:24 2012 +0100

    omadec: fix len check in nprobe() prevent out of array access
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 44c23aa1b85d195db6647d24e3b1d3de051790db
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Nov 11 18:08:39 2012 +0100

    zmbvdec: check decompression buffer size.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 3ba58433e17cb6019e512e7fa5cf4e38415217d3
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Nov 11 17:20:10 2012 +0100

    diracdec: check wavelet depth, prevent out of array read.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 0a4087b8930d283aeec0aaf15d9991b6b1765597
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Nov 11 16:36:27 2012 +0100

    diracdec: Use only one frame per reference
    
    Prevents null ptr dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit def8588fb588f75df336567918dc512ba04aae67
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Nov 11 12:40:38 2012 +0100

    dwt_yasm/vertical_compose: fix width witdth argument.
    
    Fixes out of array accesses
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 7dab48bb73abafbb00dbb4cb84db838292388790
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Nov 11 03:35:10 2012 +0100

    diracdec: allocate enough space for blocks
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit dca2fa10d37022684c61166be59294c9f98530d4
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Nov 11 03:34:09 2012 +0100

    diracdec: fix edge emulation check, fixes out of array reads
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit d7da4d47a6841444f12bf56dfe4230d3e4af8646
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Nov 11 02:13:31 2012 +0100

    mxfdec: avoid double free and leaks.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit c2ca0163affa524f4074c6328bf85c944b65dba2
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Nov 11 01:00:04 2012 +0100

    matroskadec: check h in generic rm packet shuffler
    
    Fixes crash
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 1f41cffe1e3e79620f587545bdfcbd7e6e68ed29
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Nov 11 00:01:24 2012 +0100

    mjpegdec: check SE.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 47ca2487ae88358a324f620cfb50095d086ed8f5
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Nov 10 21:44:20 2012 +0100

    lavfi/avcodec: check that injected avframes use a supported channel layout
    
    This fixes out of array accesses.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 2d71f31df23910f18b17f17fa568b13fd5dcaf1a
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Nov 10 19:38:44 2012 +0100

    lag_read_prob_header: fix out of array access
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit b53f89710b03c4c832bb03e4e132b1ace17fb4e4
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Nov 10 18:21:50 2012 +0100

    alac: Check channel indexes more completely, fix out of array accesses.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 3920d1387834e2bc334aff9f518f4beb24e470bd
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Nov 10 17:41:56 2012 +0100

    alac: fix integer overflow leading to subsequent out of array accesses.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit fd4f4923cce6a2cbf4f48640b4ac706e614a1594
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Nov 10 17:14:04 2012 +0100

    alac: fix nb_samples < order case
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit eb3dc237051242d28570c2fa13108c05793f5a4e
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Nov 10 13:28:26 2012 +0100

    mov: Make sure no streams after the header lack a timescale.
    
    Fixes division by 0
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit dab70c62d20081bcf879b7b6bc3ffabc2e331542
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Nov 10 01:51:40 2012 +0100

    ivi_common: check ref_tile size, fix out of array accesses
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit a93c7ca6ef625188c9ec088c2e75f731b78c9923
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Nov 9 23:38:51 2012 +0100

    ivi_common: more MV Checks, fixes out of array reads
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit c63e76ba3553d7635b92ac3801f3087e85a76bfb
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Nov 9 22:58:10 2012 +0100

    ebml_read_binary: use fast_padded_malloc()
    
    Fixes out of array accesses
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 2fbb37b51bbea891392ad357baf8f3dff00bac05
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Nov 9 20:58:57 2012 +0100

    iff/ilbm: check remaining buffer size.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit b8551f8ea71b7d6ae39de121213860262d911001
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Nov 9 20:47:54 2012 +0100

    pcmdec: check that channels is valid.
    
    Prevents a division by 0
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit ac7ff0963bf353ffd951ae8d51444b82b7ea69c1
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Nov 9 20:33:01 2012 +0100

    aacdec: fix temporary array size
    
    Avoids out of array accesses.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 623cfc93d9ba5790b9b237ce66123bba9fd6a6c7
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Nov 9 19:58:37 2012 +0100

    pngdec: check that format matches too not just dimensions
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 02a325cb6fdc1e33a45191cbfbfe4298affcd021
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Nov 9 19:28:23 2012 +0100

    tiffdec: check rps, fix infinite loop.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit b8dc5f8bb3b14bfd2289a0444c7b706299555d97
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Nov 9 18:45:41 2012 +0100

    twinvq: check bitrate for validity avoid division by 0
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit e481ba2ed79421d82ed631d187c05c03260c6561
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Nov 9 18:04:54 2012 +0100

    vqf: check samplerate, avoid division by 0.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit fb6a72cde52580bc92c92c8f02bb3eb7afb3fd71
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Nov 9 17:47:51 2012 +0100

    iff: avoid out of array reads, due to too many planes.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 7989f7e0b5229e618a7f6bf97c6608090a7db106
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Nov 9 17:17:37 2012 +0100

    xmv: Fix integer overflow
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 9195377bc5818b65b34556938749d97eecde413b
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Nov 9 16:58:53 2012 +0100

    vp56dec: Fix handling of alpha configuration changes.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 7ec1fe1f472c2fb1cf0e0b2b89e107a08ac7efe5
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Nov 9 14:54:43 2012 +0100

    lavf: Dont compare absolute to relative timestamps in duration gcd
    
    This prevents a division by 0
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 4c6e7c2d4d9810d56ee0770e8c9ad68452e83c58
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Nov 9 14:17:17 2012 +0100

    ivi_common: dont dereference null pointers.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 13451f5520ce6b0afde861b2285dda659f8d4fb4
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Nov 9 13:26:20 2012 +0100

    atrac3dec: Check coding mode against channels.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 5ee008e01d5a50d976b5f2a4abd6932185672d91
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Nov 9 13:13:50 2012 +0100

    qdm2: check that coding_method is valid before using it.
    
    Fixes out of array reads.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 909a18f73b30ed33495b9ee87114c0ed4fbd9cee
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Nov 9 12:43:51 2012 +0100

    mjpegbdec: dont return a picture when there is no picture.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 6d1c5ea04af3e345232aa70c944de961061dab2d
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Nov 9 12:13:30 2012 +0100

    tiffdec: check count in metadata reading.
    
    Fixes out of array access
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit ce1ebb31a9a0e556a89cd7681082af19fbc1cced
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Nov 9 12:03:57 2012 +0100

    tiffdec: use checked reads for tget*()
    
    Fixes out of array reads
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 56b6a43056235fc110a018678da590595734203d
Author: Justin Ruggles <justin.ruggles@gmail.com>
Date:   Sat Sep 29 11:31:35 2012 -0400

    ac3dec: ensure get_buffer() gets a buffer for the correct number of channels
    
    If there is an error during frame parsing, but AVCodecContext.channels was
    changed and AC3DecodeContext.out_channels was set previously, the two may not
    match.
    
    Fixes CVE-2012-2802
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    
    CC: libav-stable@libav.org

commit 85f477935cd6b34e6ec2716b20e15ce748277a89
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Apr 20 17:42:18 2012 +0200

    avsdec: Set dimensions instead of relying on the demuxer.
    
    The decode function assumes that the video will have those dimensions.
    
    Fixes CVE-2012-2801
    
    CC:libav-stable@libav.org
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Anton Khirnov <anton@khirnov.net>

commit d65d8347314b645051e336aed141aaf32a6c0d02
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Apr 14 16:32:56 2012 +0200

    wmalosslessdec: Reset put bit buffer when num_saved_bits is reset.
    
    Fixes CVE-2012-2799
    
    CC:libav-stable@libav.org
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Anton Khirnov <anton@khirnov.net>

commit 6a99310fce49f51773ab7d8ffa4f4748bbf58db9
Author: Anton Khirnov <anton@khirnov.net>
Date:   Sat Sep 29 19:16:32 2012 +0200

    wmalosslessdec: Fix reading too many bits in decode_channel_residues()
    
    Fixes a part of CVE-2012-2795
    
    CC:libav-stable@libav.org
    
    Based on a patch by Michael Niedermayer <michaelni@gmx.at>
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

commit f48fbf2eb5ba7015c65b31c266edf399dd6a82b1
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Apr 14 14:50:25 2012 +0200

    wmalosslessdec: fix a get_bits(0) in decode_ac_filter
    
    Fixes a part of CVE-2012-2795
    
    CC:libav-stable@libav.org
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Anton Khirnov <anton@khirnov.net>

commit 607f57152c59bcec26caaf2060a86d96f76c4e8b
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Apr 14 14:49:22 2012 +0200

    wmalosslessdec: make MCLMS arrays big enough for what is written into them.
    
    Fixes a part of CVE-2012-2795
    
    CC:libav-stable@libav.org
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Anton Khirnov <anton@khirnov.net>

commit ae3da0ae5550053583a6f281ea7fd940497ea0d1
Author: Anton Khirnov <anton@khirnov.net>
Date:   Sat Sep 29 11:07:58 2012 +0200

    indeo4/5: check empty tile size in decode_mb_info().
    
    This prevents writing into a too small array if some parameters changed
    without the tile being reallocated.
    
    Based on a patch by Michael Niedermayer <michaelni@gmx.at>
    
    Fixes CVE-2012-2800
    
    CC:libav-stable@libav.org
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

commit 2d09cdbaf2f449ba23d54e97e94bd97ca22208c6
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Apr 15 14:11:50 2012 +0200

    indeo5: check tile size in decode_mb_info().
    
    This prevents writing into a too small array if some parameters changed
    without the tile being reallocated.
    
    Fixes CVE-2012-2794
    
    CC:libav-stable@libav.org
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Anton Khirnov <anton@khirnov.net>

commit e4d4044339b9c3b0f45f7203cd026eda3c0414c0
Author: Anton Khirnov <anton@khirnov.net>
Date:   Sat Sep 29 10:39:49 2012 +0200

    indeo3: fix out of cell write.
    
    Fixes CVE-2012-2776.
    
    CC:libav-stable@libav.org
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

commit 065b3a1cfa3f23aedf76244b3f3883ba913173ff
Author: Anton Khirnov <anton@khirnov.net>
Date:   Sat Sep 29 08:40:42 2012 +0200

    wmalosslessdec: increase channel_coeffs/residues size
    
    Fixes CVE-2012-2792
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

commit b631e4ed64f7d1b9ca8f897fda31140e8d1fad81
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Apr 14 18:28:31 2012 +0200

    lagarith: check count before writing zeros.
    
    Fixes CVE-2012-2793
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Anton Khirnov <anton@khirnov.net>

commit 99f392a584dd10b553facc8e819f2c7e982e176d
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Apr 14 11:07:11 2012 +0200

    wmaprodec: check num_vec_coeffs for validity
    
    Fixes CVE-2012-2789
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Anton Khirnov <anton@khirnov.net>

commit b146d74730ab9ec5abede9066f770ad851e45fbc
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Apr 14 20:04:05 2012 +0200

    indeo4: update AVCodecContext width/height on size change
    
    Fixes CVE-2012-2787
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Anton Khirnov <anton@khirnov.net>

commit 891918431db628db17885ed947ee387b29826a64
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 24 17:43:55 2012 +0100

    indeo5dec: Make sure we have had a valid gop header.
    
    This prevents decoding happening on a half initialized context.
    
    Fixes CVE-2012-2779
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Anton Khirnov <anton@khirnov.net>

commit c20a69630619d14ae92c5541d52c579d7c8f3e94
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 24 02:40:24 2012 +0100

    cavsdec: check for changing w/h.
    
    Our decoder does not support changing w/h.
    
    Fixes CVE-2012-2777 and CVE-2012-2784.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Anton Khirnov <anton@khirnov.net>

commit bb146bb57bea6647f9c080aa4f9323a3a789ad22
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 23 03:43:30 2012 +0100

    ogg: prevent NULL pointer deference in theora gptopts
    
    Additional safety in case a special ogg stream is crafted
    with the proper number of
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 66197988b1ee914825afbc3084e6da63f862068a
Author: Thilo Borgmann <thilo.borgmann@googlemail.com>
Date:   Sun Apr 15 18:07:12 2012 +0200

    alsdec: fix number of decoded samples in first sub-block in BGMC mode.
    
    Fixes CVE-2012-2790
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
    Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>

commit 97f0efbfb86d24f081b2caa39f6249e05c95c2ef
Author: Thilo Borgmann <thilo.borgmann@googlemail.com>
Date:   Sun Mar 11 16:56:23 2012 +0100

    alsdec: Fix out of ltp_gain_values read.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
    Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>

commit 5b051ec3bdc78f3d89e8d1425674cde8fd6c9ccc
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Feb 29 06:10:17 2012 +0100

    alsdec: Check that quantized parcor coeffs are within range.
    
    ALS spec:
    	11.6.3.1.1 Quantization and encoding of parcor coefficients
    	...
    	In all cases the resulting quantized values ak are restricted to the range [-64,63].
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
    Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>

commit 9853e41aa0a6cfff629ff7009685eb8bf8d64e7f
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 24 01:39:13 2012 +0100

    alsdec: check opt_order.
    
    Fixes out of array write in quant_cof.
    Also make sure no invalid opt_order stays in the context.
    
    Fixes CVE-2012-2775
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
    Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>

commit 45838561f2f14339acdf53ffa3adbfe8e6db7514
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Jul 28 18:07:45 2012 +0600

    vc1dec: Override invalid macroblock quantizer
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
    Signed-off-by: Kostya Shishkov <kostya.shishkov@gmail.com>

commit 2bf369b60c7d56dd73887a0156c37676d0fa7e29
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Jul 28 16:27:55 2012 +0600

    vc1: avoid reading beyond the last line in vc1_draw_sprites()
    
    Fixes overread
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
    Signed-off-by: Kostya Shishkov <kostya.shishkov@gmail.com>

commit 1100acbab26883007898c53efeb289f562c6e514
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Jul 28 17:14:50 2012 +0600

    vc1dec: check that coded slice positions and interlacing match.
    
    This fixes out of array writes
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
    Signed-off-by: Kostya Shishkov <kostya.shishkov@gmail.com>

commit 0aa907cfb1bbc647ee4b6da62fac5c89d7b4d318
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Jul 28 17:14:48 2012 +0600

    vc1dec: Do not ignore ff_vc1_parse_frame_header_adv return value
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
    Signed-off-by: Kostya Shishkov <kostya.shishkov@gmail.com>

commit f39bbc9d2130bfb2b383c70105a6d54e6cadbbb5
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Mar 26 15:05:02 2012 +0200

    mxfdec: fix off by one error.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
    Signed-off-by: Luca Barbato <lu_zero@gentoo.org>

commit b7d14883939e756cbda376c66552be9d843910a0
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu May 31 20:19:56 2012 +0200

    h264: move q0 scan tables into context
    
    This fixes out of global array reads.
    The alternative solutions of checking the index or modifying the VLC tables
    to prevent the index going outside are each about 1-2 cpu cyclces slower
    per coded 4x4 block.
    The alternative of padding the global tables directly is more ugly and
    moving them to the context should benefit cache locality.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 18b46a494ef3592d69f4638dac1ebb613c0f548d
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu May 31 19:06:14 2012 +0200

    oggparsevorbis: fix null ptr dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit b02cc2ddc610cd84bbee5923a642a8324988b28c
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu May 31 18:54:00 2012 +0200

    mpeg4videodec: Check that cplx_estimation_* fits in the available space
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 8aaa00c3012d425ce50efffadb813ad62d1ff3d5
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu May 31 05:01:28 2012 +0200

    indeo5: check quant_mat
    
    prevents out of array read
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 39f0a45a1a087e5bbef84fa3366942384ec32155
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed May 30 16:42:01 2012 +0200

    h264_cavlc: check prefix before using it.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 32e60b6bfed709a7d84fd35942baee12a6080595
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed May 30 16:40:33 2012 +0200

    h264: increase scantable sizes to avoid overread
    
    We could also check the index but this would slow speed critical code
    down.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit fd4c1c0b70b5a06dd572d7e27799a2f4c3d9b984
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed May 30 16:19:36 2012 +0200

    truemotion1: Check index, fix out of array read
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit e7cb161515fc9fb6d30d1681d64d9ba7ad737a4e
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue May 29 19:50:15 2012 +0200

    ape: Fix null ptr dereference with files missing a seekatable.
    
    Such files are currently not supported as the table is used at several points
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 5880d788734d9c4e2dc53c6cdec343ee978d3a3f
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue May 29 19:28:09 2012 +0200

    movdec: Check count of stts/ctts elements instead of just the pointer.
    
    Fixes overreading the array
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 1b8741a6843f3f4667c81c2d63d3182858aa534f
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue May 29 19:16:22 2012 +0200

    4xm: fix division by zero caused by bps<8
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 8ea5df4fac57acf8a6e8cf575502ccd3dd776f57
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu May 10 17:36:49 2012 +0200

    lavc/utils: fix division by 0
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 91e72e35141f590c38985ad0ae3453a4e9e86b8a
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu May 10 17:22:27 2012 +0200

    omadec: Check geob datasize more completely
    
    Fixes out of heap array read.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 64953f67f98da2e787aeb45cc7f504390fa32a69
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Wed May 2 16:12:46 2012 +0000

    qdm2: clip array indices returned by qdm2_get_vlc().
    
    Prevents subsequent overreads when these numbers are used as indices
    in arrays.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org
    
    Signed-off-by: Justin Ruggles <justin.ruggles@gmail.com>

commit 71a3c59ed73f2cad401d192278d1fcab9a129606
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Apr 15 13:29:50 2012 +0200

    eatgv: check vector_bits
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
    Signed-off-by: Kostya Shishkov <kostya.shishkov@gmail.com>

commit d2205d6543881f2e6fa18c8a354bbcf91a1235f7
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Wed May 2 10:58:55 2012 -0700

    png: check bit depth for PAL8/Y400A pixel formats.
    
    Wrong bit depth can lead to invalid rowsize values, which crashes the
    decoder further down.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 273e6af47b38391f2bcc157cca0423fe7fcbf55c
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Fri May 4 16:06:26 2012 -0700

    ea: check chunk_size for validity.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 5eec5a79da118170f3cfe185a862783d3fa50abe
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Tue Mar 13 17:18:41 2012 -0700

    jpeg: handle progressive in second field of interlaced.
    
    Progressive data is allocated later in decode_sof(), not allocating
    that data leads to NULL dereferences.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 1f05dcbad243622020151a3b0b45c68ea5f2866c
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Mar 29 16:54:28 2012 -0700

    ituh263dec: Implement enough of Annex O (scalability) to fix a FPE.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>

commit 2d22d4307dcc1461f39a2ffb9c8db6c6b23fd080
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Thu Mar 29 12:24:10 2012 -0700

    h263: more strictly forbid frame size changes with frame-mt.
    
    Prevents crashes because the old check was incomplete.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 732f9fcfe54fc9a0a7bbce53fe86b38744c2d301
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Thu Mar 29 16:37:09 2012 -0700

    h264: additional protection against unsupported size/bitdepth changes.
    
    Fixes crashes in codepaths not covered by original checks.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit ac80b812cd177553339467ea12548d71c9ef6865
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Thu Mar 29 12:44:55 2012 -0700

    tta: prevents overflows for 32bit integers in header.
    
    This prevents sample_rate/data_length from going negative, which
    caused various crashes and undefined behaviour further down.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 82a0497cf317a9bf3e5d65fb13485097d0e88321
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Tue May 1 09:59:04 2012 -0700

    vp8: update frame size changes on thread context switches.
    
    This properly synchronizes frame size changes between threads if
    subsequent threads abort decoding before frame size is initialized, i.e.
    it prevents the thread after that from ping-ponging back to the original
    value.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

commit 29545741266a03332f2758c7ba4f77f362c3668d
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Apr 23 21:40:02 2012 +0200

    indeo4: check quant_mat more fully.
    
    quant_mats valid range depends on the block size.
    This fixes a global array overread.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 068d0b4e2503649cbf35524466e96f17f45327fa
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Apr 23 19:41:46 2012 +0200

    h264: some fields in SEIs are longer than 25 bits thus use get_bits_long()
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 4d87001096ff1d4e3ee6f88f8caddbd8ccb2c816
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Apr 23 03:29:48 2012 +0200

    vp8: fix crash due to skiped update_dimensions().
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 0ca4414d0f3eeb39bbad504eaaae76d40b7189cc
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Apr 23 10:33:55 2012 +0300

    audemux: Add a sanity check for the number of channels
    
    Fixes a division by 0.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Martin Storsjö <martin@martin.st>

commit 951cbea56fdc03ef96d07fbd7e5bed755d42ac8a
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Apr 22 20:03:53 2012 +0200

    mpeg12dec: reset data size after parsing extradata.
    
    This ended up corrupting data structures and may possibly
    lead to a double free.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 41abc9da50ba7a7b68bbbf6622475ce7a3c72e3f
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Apr 22 16:41:21 2012 +0200

    iff: fix null ptr dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 8aa57b7b5e06c1cd9dbb2e84e48caa0ef840c5dc
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Apr 22 15:32:58 2012 +0200

    audemux: Check channels isnt 0
    
    Fixes a division by 0
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit fd2127ad53370c4f5d615265c4f915126e7d5f4f
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Apr 22 15:29:34 2012 +0200

    wtvdec: Check that stream private context has been allocated before use.
    
    This fixes a null ptr dereference with attachments
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 9a4f5b76169a71156819dbaa8ee0b6ea25dc7195
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Apr 22 14:19:18 2012 +0200

    mjpegbdec: check SOS/SOF ordering.
    
    Fixes null ptr dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit abec6549ae1e86fdf89dbab8a8abca8eb7205c6e
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Apr 22 13:56:07 2012 +0200

    ffv1dec: Require a valid keyframe for decoding non keyframes.
    
    Before this the context could become inconsistent, this lead to a null ptr
    dereference.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 605f2b6b004eee4dc57832257169ff8eaa562fb7
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Apr 22 12:16:29 2012 +0200

    asv1dec: check extradatasize before reading.
    
    Fixes null ptr dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit fa5dacce143f3fbe8eac14d5a99e926b2787e9e6
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Apr 22 12:09:59 2012 +0200

    indeo5: check against scaleable frames in non scaleable streams.
    
    Fixes a null ptr dereference.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 2a59abf1a8859bd63f5760e98ffcb381d407451d
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Apr 22 11:23:58 2012 +0200

    smackerdemux: Allocate padding for extradata
    
    Fixes slight overread.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit f7c67536fe56336b9c6dcbc87162394c7feb18a5
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Apr 22 11:10:17 2012 +0200

    svq1dec: Fix overread on very small input
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit b21ba20cc83c80fe56192fee3626a8087f37d806
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Apr 22 03:47:53 2012 +0200

    wmaprodec: tighter check for num_vec_coeffs
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 6c0027bb3971dc9a06b5847c51a106e10c7b6fcb
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Apr 21 21:39:18 2012 +0200

    dnxhddec: check that the indicated bit depth matches the tables.
    
    Fixes crash
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 94b42da6963a88c9518039e0b8ca42b6aab8bfb3
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Apr 21 21:29:48 2012 +0200

    xldec: Check that width is a multiple of 4
    
    Fixes out of array reads
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 13381577d181fa732d6d2fa0491fa2ff50186546
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Apr 21 19:41:54 2012 +0200

    xmvdemux: dont let current_stream become invalid.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 5a35bd92ad6b535fd5d3a7513169661de66ec247
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Apr 21 19:28:35 2012 +0200

    cook: check subacket count
    
    Fixes out of array writes.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 4a80ebe491609e04110a1dd540a0ca79d3be3d04
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Apr 20 18:13:29 2012 +0200

    indeo3: Fix reallocation code so that it doesnt become inconsistent.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 2c22701c371c2f3dea21fcdbb97c981939fb77af
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Apr 20 17:52:33 2012 +0200

    ac3dec: Check number of output channels.
    
    Fixes out of array write.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 1df49142bab1b7bccd11392aa9e819e297d21a6e
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Apr 20 17:42:18 2012 +0200

    avsdec: Set dimensions instead of relying on the demuxer.
    
    This fixes out of array writes.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit a9cd12ee2afb3f3aad783c396816b23d8513f472
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Apr 19 19:50:54 2012 +0200

    mlpdec: set channel variables after checking them
    
    This fixes out of array reads
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit c90b8a74802f36a0594c4867185e18d3dbd4023b
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Apr 19 14:37:35 2012 +0200

    h263dec: Check for width/height changes on frame skips too.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 903ccf71b757cd30ce8e2378fd8ba87664e78449
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Apr 19 12:14:08 2012 +0200

    error_concealment: Check that the reference is not NULL
    
    In normal picture decoding this does not need to be checked but as
    error concealment is run in the case of errors the availability of
    references is less certain. This may be fixed differently at some
    point so that all references are always filled in before the EC
    code, in which case this should then be changed to an assert()
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 5e59a77cec804a9b44c60ea22c17beba6453ef23
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Apr 19 11:02:22 2012 +0200

    vc1dec: check that coded slice positions and interlacing match.
    
    This fixes out of array writes
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 601d072e68fb2967e561980336bea0b0625e629e
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Apr 18 16:49:46 2012 +0200

    diracdec: check xybsep
    
    Fixes division by 0
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit e531e73a6f0f7b4099ef5ed7ede949e4f75d106c
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Apr 18 16:42:34 2012 +0200

    indeo: Make sure the to be used vlc table has been initilaized.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 9ed388f5985992a0a6a43fdc0b1732962b6b5619
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Apr 18 15:21:35 2012 +0200

    ogm: Fix division by 0
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 820109224142323f182c2917e3d8ddc34324b5df
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Apr 18 15:16:36 2012 +0200

    h264: reset current_slice on context reinit
    
    This fixes a null pointer dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit a66675268f63dd6794ce946c7edbcb8b49ae0f13
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Apr 17 20:02:13 2012 +0200

    indeo5: dont run the wavelet transform over partially decoded bands.
    
    This fixes a null pointer dereference.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit ebf6d1d295debe112b990bea772f26a0441af079
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Apr 17 19:32:04 2012 +0200

    nuv: check buffer size before checking content.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 096231d497457be9496b0be01ff6da2093186c3c
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Apr 17 17:42:09 2012 +0200

    avidec: Dont crash on avi packets that belong to dv streams in dv in avi
    
    Fixes null pointer dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 2677697ac93a5de731aac598e863bd8bbe3b3a53
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Apr 17 17:12:22 2012 +0200

    matroskadec: check headerstrip data availability.
    
    Fixes null ptr dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 4fa706a4a64f9e06b08c1a42a62893ff2f7de82f
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Apr 16 18:26:49 2012 +0200

    svq3: check the watermark height.
    
    Fixes division by 0
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit efe1ba7201b3bb609d3a41091e15e875137f3f32
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Apr 16 18:22:22 2012 +0200

    diracdec: check lowdelay bytes.
    
    Fixes division by zero
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit a30165c4a8044e1d5527c1302b5a5cb473e0913d
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Apr 16 18:13:51 2012 +0200

    omadec: make sample rate table large enough to prevent out of array reading.
    
    The new values lead to error messages when used
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit c963189bc2fcb879acff100be341222ee8aa850a
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Apr 16 18:07:19 2012 +0200

    g729dec: initialize pitch_delay_int_prev to the minimum valid value.
    
    This prevents an out of array read
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 47f0beadba9003391d8bfef59b15aa21a5b2d293
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Apr 16 16:44:12 2012 +0200

    dsicinav: Check for overread in RLE decode.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 71d3c25a7ef442ac2dd7b6fbf7c489ebc0b58e9b
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Apr 16 16:39:02 2012 +0200

    smacker: Check get_vlc() return values.
    
    Fixes out of array reads
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 8e77c3846e91b1af9df4084736257d9899156eef
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Apr 16 16:27:08 2012 +0200

    dcadec: fix global array overread.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 884efd4e09696b201457feebdef684aee30be99d
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Apr 16 14:38:40 2012 +0200

    indeo4: avoid storing invalid values in quant_mat.
    
    Fixes a global array overread
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 474e31c904f766b6989fe614c3fb093e697c847f
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Apr 16 14:30:33 2012 +0200

    4xmdemux: Check chunk size
    
    Fixes over reading the header array
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit e74fa25cb9f29aee8a36df0c8e492f8bafdbe4a0
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Apr 16 13:51:40 2012 +0200

    omadec: check GEOB sizes against buffer size
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit a10f71c1d65c3e457c7e42ac600efe063e432efd
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Apr 16 13:40:55 2012 +0200

    vc1dec: add missing terminating element to mpeg4_video_profiles
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit e985cfd18bc416d3ff0c83ccafdc1ac733e6d522
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Apr 16 13:35:41 2012 +0200

    vc1dec: check end_mb_y / start_mb_y validity
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit c4ce8709676a6f0b41761093b0da08de72799ba9
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Apr 16 12:01:55 2012 +0200

    flvdec: allocate large enough buffer so get_bits() doesnt overread
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 8dfb13ea59f87365f407dfe4fc196b50e3fad92b
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Apr 16 01:57:36 2012 +0200

    adxdec: Check available space before decoding block.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 6d24fe2c3c7437bfbf8317d3de5bdd4af9823589
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Apr 16 01:24:04 2012 +0200

    segafilm: make the loop condition in film_read_packet() match the contents.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 88a97d660d65b8d5ac2ca719969c0096ace00114
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Apr 15 21:01:35 2012 +0200

    indeo5: check for unsupported luma block type
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit fefc65675eb5def2a34787cffea53c88e956cca1
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Apr 15 20:19:42 2012 +0200

    tiffdec: check overread for packbits
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 2837d8dc276760db1821b81df3f794a90bfa56e6
Author: Thilo Borgmann <thilo.borgmann@googlemail.com>
Date:   Sun Apr 15 18:07:12 2012 +0200

    alsdec: fix number of decoded samples in first sub-block in BGMC mode.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 44c4170c52c10e3da3a7ea8e3435ef37c4edc2cc
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Apr 15 18:13:50 2012 +0200

    lzw: check for overread
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit a63c813797fbdc32c530bf8930e11bf5a9a01d77
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Apr 15 18:01:11 2012 +0200

    pngdec: check bits_per_pixel for palette mode.
    
    This fixes a out of array read
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit c7dc19d68f5de4ee150e601875d43dc80bd6c285
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Apr 15 17:41:17 2012 +0200

    png: make sure the previous frames dimensions match before using it as reference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 3118e3b137323785d131e1448c6718e9f649de73
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Apr 15 16:40:49 2012 +0200

    ff_lag_rac_init: fix signedness error leading to out of array read.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 20335598f2a08e92ae8f098f62f6311d42ebd55b
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Apr 15 16:30:17 2012 +0200

    qdm2_fft_decode_tones: fix infinite loop
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 1a974679d097e878401cc1a425c3ed612be1581e
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Apr 15 16:17:07 2012 +0200

    qdm2: Check vlc_stage3_values index.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit b1096b6ee7d51c8e2b900af375b3f14194241ac2
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Apr 15 15:36:38 2012 +0200

    xan: check for vector_segment overread
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit b962932cba61f06c8da3e7f70e519dec1c1dd88a
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Apr 15 15:29:50 2012 +0200

    eatgv: check vector_bits
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 93927eb334dce961603645dd4ed9772bb2400cc4
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Apr 15 14:58:06 2012 +0200

    ff_ivi_decode_blocks: fix negative scan_pos case.
    
    Fixes out of global array read.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit f0bf9e9c2a65e9a2b9d9e4e94f99acb191dc7ae7
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Apr 15 14:16:55 2012 +0200

    indeo: Check allocated tile size in ff_ivi_process_empty_tile()
    
    This prevents writing into a too small array if some parameters changed
    without the tile being reallocated.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 5ad7335ebac2b38bb2a1c8df51a500b78461c05a
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Apr 15 14:11:50 2012 +0200

    indeo5: check tile size in decode_mb_info().
    
    This prevents writing into a too small array if some parameters changed
    without the tile being reallocated.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 0846719dd11ab3f7a7caee13e7af71f71d913389
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Apr 15 13:26:19 2012 +0200

    indeo4: check transform size.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 01bf2ad7351fdaa2e21b6bdf963d22d6ffccb920
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Apr 14 20:04:05 2012 +0200

    indeo4: setup width/height properly.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit c42efad3c34cace09555e05fd0cb81cb59cc726f
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Apr 14 18:32:36 2012 +0200

    wtvdec: fix name_size check to consider integer overflows.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 83c7803f55b3231faeb93c1a634399a70fae9480
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Apr 14 18:28:31 2012 +0200

    lagarith: check count before writing zeros.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 64bd7f8e4db1742e86c5ed02bd530688b74063e3
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Apr 14 16:32:56 2012 +0200

    wmalosslessdec: Reset put bit buffer when num_saved_bits is reset.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit b3a43515827f3d22a881c33b87384f01c86786fd
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Apr 14 14:51:24 2012 +0200

    wmalosslessdec: Fix reading too many bits in decode_channel_residues()
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 2a7063de547b1d8fb1cef523469390fb59fb2c50
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Apr 14 14:50:25 2012 +0200

    wmalosslessdec: fix a get_bits(0) in decode_ac_filter
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit a0abefb0af64a311b15141062c77dd577ba590a3
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Apr 14 14:49:22 2012 +0200

    wmalosslessdec: make mclms arrays big enough for whats written into them.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit d442c4462a2692e27a24e1a9d0eb6f18725c7bd8
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Apr 14 13:34:14 2012 +0200

    wmalosslessdec: Make arrays WMALL_BLOCK_MAX_SIZE big and check samples_per_frame.
    
    The samples_per_frame check is ported from wmaprodec.c
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 9166f483c52e7e0a031a7bb149bea16aaa72f344
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Apr 14 13:13:32 2012 +0200

    wmaprodec: check min_samples_per_subframe
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit b28c678ba893876eb7a0c1768dea9dfa0fbeceb3
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Apr 14 12:03:04 2012 +0200

    wmaprodec; fix get_bits(0) case.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 97a5addfcf0029d0f5538ed70cb38cae4108a618
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Apr 14 11:07:11 2012 +0200

    wmaprodec: check num_vec_coeffs for validity
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit cca9528524c7a4b91451f4322bd50849af5d057e
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Apr 14 00:07:38 2012 +0200

    mp3on4: allocate a large enough frame.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit c41ac870470c614185e1752c11f892809022248a
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Apr 13 23:56:26 2012 +0200

    avidec: update size when packet is shrunk
    
    Fixes out of array read
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 72b9537d8886f679494651df517dfed9b420cf1f
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Apr 13 22:57:23 2012 +0200

    dfa: Fix out of array write in decode_dds1()
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit d1c95d2ce39560e251fdb14f4af91b04fd7b845c
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Apr 13 22:52:16 2012 +0200

    dfa: fix out of array write in decode_wdlt()
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 7c9d69360cd29415591816b70e722235a4319e08
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Apr 1 02:57:27 2012 +0200

    lavc: check media type of the decoder before calling it.
    
    This fixes a segfault where a video decoder was called
    from avcodec_decode_audio*().
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 5216245a2c5ed8140d99f14fcc148fbb6db9831e
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 31 23:31:56 2012 +0200

    indeo4: fix null ptr dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit d3db8988d5befd8702a748cf1957415677bfe75c
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 31 21:42:50 2012 +0200

    indeo4: check that num_mbs matches
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 420d1df2e2a857eae45fa947e16eae7494793d57
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Mar 29 17:52:21 2012 +0000

    apedec: check bits <= 32.
    
    Fixes a floating-point exception further down.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
    Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
    Signed-off-by: Derek Buitenhuis <derek.buitenhuis@gmail.com>

commit 3768445be80090f2c12afa5eb95152dcd389b616
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 31 18:25:44 2012 +0200

    tm2dec: fix overread
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit f9143d2407b38f33b85487fd597c9194f79adb20
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 31 16:22:30 2012 +0200

    ividsp: prevent pointers from going outside and overreading.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 12038ab16da2f9e007c5f3a5bacc19e61f8edfd8
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 31 15:52:13 2012 +0200

    ividsp: zero pitch so as not to overread
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 874ac0b1fdc858481aa51bdc010612d9db29083b
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 31 14:16:48 2012 +0200

    indeo5: change AVCodecContext w/h when internal ones change.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 280beebd399b2d2c9bf58438c2aa2a22a0a53282
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 30 21:47:06 2012 +0200

    cavsdec: initialize all tables to zeros.
    
    This ensures that they dont contain invalid values.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit ec0965be36b55624a03d20c3b24e6a7aa61d6cd2
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 30 19:18:42 2012 +0200

    cavsdec: ensure the tables have been allocated before using them
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 4f7c7624c0db185c48c59d95d745ab3f7851a5b4
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Wed Mar 28 12:56:07 2012 -0700

    mov: don't overwrite existing indexes.
    
    Prevents all kind of badness if files contain multiple
    indexes.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit b7b1509d06d3696d3b944791227fe198ded0654b
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Thu Mar 29 10:25:04 2012 -0700

    truemotion: forbid invalid VLC bitsizes and token values.
    
    SHOW_UBITS() is only defined up to n_bits is 25, therefore forbid
    values larger than this in get_vlc2() (max_bits). tokens[][] can be
    used as an index in deltas[], which has a size of 64, so ensure the
    values are smaller than that.
    
    This prevents crashes on corrupt bitstreams.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit bf39d3b59d85e5734babe48b61b8d92d18188185
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Thu Mar 29 09:29:03 2012 -0700

    truemotion2: handle out-of-frame motion vectors through edge extension.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit ddcf67c8a51c67b122a826d8b5819e96d591d813
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Wed Mar 28 17:06:00 2012 -0700

    lzw: prevent buffer overreads.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit bd508d435b94584db460c684e30ea7ce180cf50f
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Wed Mar 28 11:53:13 2012 -0700

    truemotion2: convert packet header reading to bytestream2.
    
    Also use correct buffer sizes in calls to tm2_read_stream(). Together,
    this prevents overreads.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit a940198130de3ab0c50d832bf7a27a70cfed11cc
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Sat Mar 17 09:09:41 2012 -0700

    cabac: add overread protection to BRANCHLESS_GET_CABAC().
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

commit 7374fac80406d6c1a67a0e3265cfe6dfcc51ce61
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Fri Mar 16 21:56:40 2012 -0700

    h264: fix overreads in cabac reader.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 0a82f5275f719e6e369a807720a2c3603aa0ddd9
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Tue Mar 27 12:26:46 2012 -0700

    lagarith: fix buffer overreads.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit a74d7218767bbf978f66c9b4c2bb77f7d77e9bde
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Mar 28 14:52:27 2012 +0200

    indeo4: apply correction to eob/esc indexes too
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 92f7f1db421ee8b3431534fa09e8050ba622c33a
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Mar 28 14:51:21 2012 +0200

    indeo4: Check for mismatching scan tables
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit a60a4d704149ab51bd27b63ae763c1d26d075013
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Mar 28 10:44:43 2012 +0200

    vc1dec: Fix global array overread.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 8db2935db0caa8efbef009994920ef6a20289496
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Mar 28 10:30:44 2012 +0200

    apedec: fix global array overread
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 7a5e5872493ac91af65357680cf03456d0a4f1ff
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Mar 28 08:22:39 2012 +0200

    apedec: check bits <= 32
    
    Fixes FPE
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 936951ca5c46afe91d4efb6ce7e2759424bbe143
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Mar 28 08:05:11 2012 +0200

    tm2dec: check total_frames and extradata_size.
    
    Fixes overread
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit d0dafebb753f34da61058adf956663de39a815b4
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Mar 28 07:37:12 2012 +0200

    tm2: Fix overread of token array.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 11cc2092269a36dc7a98545397e110fa8c08e18a
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Mar 28 07:25:06 2012 +0200

    lzw(gif): Fix overread
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 96d0494123a05fb78a0fd3f03b0b5aaefc170b1c
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Mar 28 06:41:13 2012 +0200

    lagarith: Fix various issues that lead to out of array reads.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 4a619fcae99c7fc8cae7070c7859243c40cdb4bc
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Mar 28 03:17:48 2012 +0200

    h263dec: Restore w/h values to a consistent state if a change is rejected.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 98df2e24141cd00a557ef10ed7af2b956200cd80
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Mon Mar 26 18:02:08 2012 -0700

    raw: forward avpicture_fill() error code in raw_decode().
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 28a613b09b712494b8a82d00112d4e6e97a0df0a
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Mar 27 15:16:37 2012 +0200

    h264: dont mess with chroma planes for grayscale h264.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit dfacef9e735461e72a05e683da06bda5ea9c5d8e
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Mar 27 13:49:58 2012 +0200

    alsdec: make sure no invalid opt_order stays in the context.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 1acc553e5480cc16b6a9a193de581ec8fc01dff8
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Mar 27 13:21:56 2012 +0200

    vc1dec: dont ignore ff_vc1_parse_frame_header_advs return value
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit dcd013a535bccbb163b740b72bbedde67dc8e633
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Mar 27 12:52:53 2012 +0200

    oma: dont over-read buffer
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 95b192de5d05f3e1542e7b2378cdefbc195f5185
Author: Mashiat Sarker Shakkhar <shahriman_ams@yahoo.com>
Date:   Sat Mar 24 15:49:34 2012 -0700

    vc1: Do not read from array if index is invalid.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org
    Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>

commit 5484170ac729d739b2747979408f47bd9aa31c7c
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Tue Mar 27 00:20:02 2012 +0200

    rv34: set mb_num_left to 0 after finishing a frame
    
    Prevents running error resilience on a previous frame which will write
    to the pic->mb_type[] array of the previous image. The array might
    already be re-used for a new image in a subsequent thread, thus cause
    two threads to write to the same pic->mb_type[] array, causing a race
    condition which can crash in rv34_decode_cbp(), called by
    rv34_decode_inter_mb_header() (which accesses mb_type[] twice,
    assuming values are maintained, which the race condition breaks).
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit d6eef545c1f576d798a8f07fbcec5cdfb2d950f6
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Mar 27 00:44:32 2012 +0200

    vc1dec: move mquant zero check down.
    
    This way it catches all cases, and prevents later segfaults.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 43fd3212521e3a44b99a6b1ef9bf9bcdddd086e8
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Mar 27 00:12:03 2012 +0200

    targa: Fix input buffer size check.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit a84851bef8b7c99708ac5c7d0cddd6f8a7ee4d9e
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Mar 26 22:11:53 2012 +0200

    indeo3dec: check mv bitstream pointer
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 8a521d57b30c86a222c99a8c65d663cd227ea834
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Mar 26 22:06:54 2012 +0200

    indeo3dec: Fix end pointer.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 7d74aaf6985e0f286e10c851e4d7e80fd687a774
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Mar 26 15:16:47 2012 +0200

    qdm2dec: fix out of array read
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 3b370abf16044893b9f58212f5dbd3e4ae881a1d
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Mar 26 15:05:02 2012 +0200

    mxfdec: fix off by one error.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit c855ece101cd960ddd20eabd5f295e0b02b71dcc
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Mar 26 02:24:36 2012 +0200

    indeo5: check motion vectors.
    
    fixes out of frame reading
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 86e3289ffdec88f771ce8ec039ef5b90eb70b4cd
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Mar 25 04:15:51 2012 +0200

    mov: fix heap buffer overflow
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit ec0ed97b046d46421db72c4911d2bbe28bbe5741
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Thu Mar 22 17:25:22 2012 -0700

    utvideo: port header reading to bytestream2.
    
    Fixes crash during slice size reading if slice_end goes negative.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 229e4c133287955d5f3f837520a3602709b21950
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 24 17:43:55 2012 +0100

    indeo5dec: Make sure we have had a valid gop header.
    
    This prevents decoding happening on a half initialized context.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 9879b506b0843bffdd7fe2b25ac8b0cd1cf043a6
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 24 17:42:14 2012 +0100

    truemotion2dec: Fix overread of input.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 9a57a37b7041581c10629c8241260a5d7bfbc1e7
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 24 16:23:40 2012 +0100

    h264: move resolution change check further up.
    
    This prevents some variables from being changed in case of a
    rejected resolution change.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 9d3032b960ae03066c008d6e6774f68b17a1d69d
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 24 01:39:13 2012 +0100

    alsdec: check opt_order.
    
    Fixes out of array write in quant_cof
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 2c0559d5e2faeafa7998173a4dc430408475503f
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 24 14:25:52 2012 +0100

    mpegvideo: increase buffer sizes.
    
    Fixes buffer overflow
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 8a20774a24bb1ea68b7360113746eac6e59ad8a8
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 24 12:29:05 2012 +0100

    indeo4: Fix global array overread.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit d85b3c4fff4c4b255232fcc01edbd57f19d60998
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 24 05:21:39 2012 +0100

    vp56dec: avoid freeing the returned frame before returning it.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 25715064c2ef4978672a91f8c856f3e8809a7c45
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 24 02:40:24 2012 +0100

    cavsdec: check for changing w/h.
    
    Our decoder does not support changing w/h.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit ba775a54bc2136ec5da85385a923b05ee6fab159
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 24 02:05:50 2012 +0100

    indeo3: fix out of picture write.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 59a4b73531428d2f420b4dad545172c8483ced0f
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 24 00:20:05 2012 +0100

    pthread/mpegvideo: detect and block attempts to init frames after setup.
    
    This fixes race conditions that ultimately lead to memory corruption.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 0cb93dacee45d3d767b4470e6a9b43b17e5220c4
Author: Alex Converse <alex.converse@gmail.com>
Date:   Wed Mar 21 12:00:56 2012 -0700

    aac: Reset some state variables when turning SBR off
    
    This makes sure the reset flag gets set when SBR gets turned back on
    and sets control variables for unguided mode back to their defaults.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit a237b38021cd3009cc78eeb974b596085f2fe393
Author: Alex Converse <alex.converse@gmail.com>
Date:   Wed Mar 21 10:11:02 2012 -0700

    aac: Reset PS parameters on header decode failure.
    
    If the next header frame codes zero envelopes the previous frame's
    values will be used. Consequently the invalid values must be cleared.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 71ea26811cbd8345cb10ab29406594e1fc19204e
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Thu Mar 22 11:50:48 2012 -0700

    aacsbr: handle m_max values smaller than 4.
    
    Prevents a signflip in the counter, and a subsequent crash because of
    overreads/overwrites.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit ae03b2141e451f0a3330566f2f2c8e3b9186c2ad
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 23 12:10:08 2012 +0100

    swr: check that there is enough information to do rematrixing when needed.
    
    Fixes assertion failure.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 2e909b3c77d0d39d4f30aba8b6a780c979551e38
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 23 11:38:20 2012 +0100

    bitstream: build_table, check table_nb_bits.
    
    Fixes null ptr deref.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit aae44fb4cdfab4fae4d981d2fe1fd708f1dcf9bb
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 23 11:03:53 2012 +0100

    indeo4: check ref_mb
    
    Fix NULL deref
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 1664edb99859d0a9dfb8dc046f6ed922db301f78
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 23 10:59:03 2012 +0100

    ffmpeg: check samplerate from decoder.
    
    Fixes FPE
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit a22e64fd02133867406604cb6589bb31696f08bc
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 23 10:48:18 2012 +0100

    rawdec: Check w/h.
    
    Fixes FPE
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 5934d57ba99b3dab4dfe98472ac6b30b9cf6329a
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 23 10:31:45 2012 +0100

    xmv: check channel number
    
    Fixes FPE
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 08c37a10e9ef7e30d7b7a889ad28c7fa9c49c886
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 23 10:23:52 2012 +0100

    mjpegdec: check h/v_count.
    
    Fixes FPE
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 46c78429949239ec4eea23406332c4ae747ac8f2
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 23 10:13:27 2012 +0100

    ituh263dec: Implement enough of Annex O (scalability) to fix a FPE.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit cc415956a45cd17ab74aae3bb7465953c387d458
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 23 05:21:10 2012 +0100

    error_conceal: fix FPE in guess_dc() with huge sizes.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit ac2cb279162218e92a5663caac27d695e6514b69
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 23 04:32:16 2012 +0100

    mov: Fix FPE on 0 time_scale
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit c0a99eae296177b22387fab8921d079088d8a54b
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 23 04:18:10 2012 +0100

    indeo4: check band->scan
    
    Fixes null ptr exception
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit f927c5b753f2ec1f037ad38cb55b4407dd7a9d79
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 23 03:43:30 2012 +0100

    vorbisdemux: Check private context in theoras gtopts.
    
    This prevents a null ptr dereference.
    It could be checked differently but this way it should
    be possible to return some data.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit ba02069a8e22985a9a775dac9ece6dc54a7e8b44
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 23 02:34:32 2012 +0100

    aacdec: prevent channels from exceeding MAX_CHANNELS.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 01fd1aa0ad2b95045df35f94ee9de073d24609c8
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 23 01:27:49 2012 +0100

    matroskadec: fix strcmp(NULL)
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 437f5daf0bf727a53ea4b485a30f1289f44bf252
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 23 01:09:04 2012 +0100

    mov: fix global unicode convertion array overflow.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 0c97fd336e17535239ab44d755a0d957dc2688f3
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 23 00:49:00 2012 +0100

    mmdemux: dont set pkt->size to an invalid value.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 7c0748c2db015cf2bf2c4a32a43bd1d2697afc1e
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 23 00:27:59 2012 +0100

    eatqi: replace break by goto.
    
    This fixes some heap overread.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 5a4af049b1a84ee09aba3745678797fce82c4a1e
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Mar 22 23:57:45 2012 +0100

    aacdec: reset max_sfb on invalid data.
    
    Fixes global out of array read.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 3583c8706df0abbfa3ecdd6730f4f3d72a01fe6d
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Mar 22 23:43:37 2012 +0100

    vqavideodev: Check image dimensions
    
    Fixes out of heap array read
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 9759d2b886057b90355716edb23262e17f9bc3f9
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Mar 22 22:44:54 2012 +0100

    indeo4: check motion vetors.
    
    Fixes out of heap array read.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 5023b89bba198b2f8e43b7f555aeb9c30d33db9f
Author: Alex Converse <alex.converse@gmail.com>
Date:   Wed Mar 21 10:58:07 2012 -0700

    xwma: Validate channels and bits_per_coded_sample.
    
    This prevents a SIGFPE later on.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 86f2ae06b92d42580ae7ebd86d52c9b7acbc2f13
Author: Alex Converse <alex.converse@gmail.com>
Date:   Wed Mar 21 11:24:10 2012 -0700

    mov: Do not read past the end of the ctts_data table.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 3e6e89b3d61876b49f4c5d17a36d40e96ccf7ce4
Author: Alex Converse <alex.converse@gmail.com>
Date:   Wed Mar 21 09:35:45 2012 -0700

    mov: Add missing terminator to mov_ch_layout_map_1ch.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: Libav-stable@libav.org

commit e73c6aaabff1169899184c382385fe9afae5b068
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Wed Mar 21 16:10:37 2012 -0700

    asf: reset side data elements on packet copy.
    
    Prevents crash (double free) when free()ing the original packet.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 262196445cf03fda0f7e41c4b968f4f7bf060e6b
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Wed Mar 21 15:47:11 2012 -0700

    wmavoice: fix stack overread.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 3c9267673e81d2f98b3d26cb64d8adb1e696a247
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Wed Mar 21 15:43:03 2012 -0700

    wmalossless: error out if a subframe is not used by any channel.
    
    Prevents infinite loop because min_channel_len never increments.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 75d7975268394f4f16294b68ec6d6d5ac30da3ac
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Wed Mar 21 15:19:31 2012 -0700

    vqa: check palette chunk size before reading data.
    
    Prevents overreads beyond buffer boundaries.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit d462949974668ffb013467d12dc4934b9106fe19
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Wed Mar 21 15:02:19 2012 -0700

    wmalossless: reset sample pointer for each subframe.
    
    Prevents overwrites when some subframes only encode some channels.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 326f7a68bbd429c63fd2f19f4050658982b5b081
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Wed Mar 21 12:40:59 2012 -0700

    wmalossless: error out on invalid values for order.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 68fd077f68bdde864bb7328d72a040849c616261
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Wed Mar 21 10:39:10 2012 -0700

    indeo4: fix out-of-bounds function call.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org
    
    Signed-off-by: Kostya Shishkov <kostya.shishkov@gmail.com>

commit 1e26a48fa23ef8e1cbc424667d387184d8155f15
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Fri Mar 16 15:24:08 2012 -0700

    h264: fix deadlocks on incomplete reference frame decoding.
    
    If decoding a second complementary field, and the first was
    decoded in our thread, mark decoding of that field as complete.
    If decoding fails, mark the decoded field/frame as complete.
    Do not allow switching between field modes or field/frame mode
    between slices within the same field/frame. Ensure that two
    subsequent fields cover top/bottom (rather than top/frame,
    bottom/frame or such nonsense situations).
    
    Fixes various deadlocks when decoding samples with errors in
    reference frames.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit c6ccb96bc955b2087ec71033d99b3dcd5203eaf2
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Fri Mar 16 14:16:56 2012 -0700

    mpeg4: report frame decoding completion at ff_MPV_frame_end().
    
    Prevents hangs on corrupt input.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 80387f0e2568746dce4a68e2217297029a053dae
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Fri Mar 16 14:04:00 2012 -0700

    mimic: don't use self as reference, and report completion at end of decode().
    
    Fixes hangs on corrupt samples that reference self-frames.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit e0febda22d0e0fab094a9c886b0e0f0f662df1ef
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Tue Mar 13 16:26:44 2012 -0700

    h264: stricter reference limit enforcement.
    
    Progressive images can have only 16 references, error out if there are
    more, since the data is almost certainly corrupt, and the invalid value
    will lead to random crashes or invalid writes later on.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 48cbe4b092113eae0b3e5d6a08b59027f913a884
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Tue Mar 13 15:21:07 2012 -0700

    h264: increase reference poc list from 16 to 32.
    
    Interlaced images can have 32 references (16 per field), so limiting the
    array size to 16 leads to invalid writes.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 86020073dbb9a3a9d1fbb76345b2ca29ba1f13d2
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Tue Mar 13 12:28:35 2012 -0700

    xa_adpcm: limit filter to prevent xa_adpcm_table[] array bounds overruns.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 1f8ff2b13cbfef790385818664ed12e763e7c75b
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 2 20:53:00 2012 +0100

    snow: check reference frame indices.
    
    Fixes NULL ptr dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org
    Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>

commit c9837954e7b968d44f82e7cdb7618e9f523b196c
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 10 00:08:32 2012 +0100

    snow: reject unsupported chroma shifts.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org
    Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>

commit 758ec111538ccd487686e8677aa754ee4d82beaa
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Mar 12 18:26:50 2012 -0700

    h264: Fix invalid interlaced/progressive MB combinations for direct mode prediction.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org
    Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>

commit 599881b028456ac362b2b1f0d2f1ddd4ed06da76
Author: Thilo Borgmann <thilo.borgmann@googlemail.com>
Date:   Sun Mar 11 16:56:23 2012 +0100

    alsdec: Fix out of ltp_gain_values read.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit c95fefa0420be9cc0f09a95041acf11114aaacd0
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Sun Mar 11 07:28:54 2012 -0700

    dsicinvideo: validate buffer offset before copying pixels.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 97e48b2f541396ef6e8816a555bac1bb993d7a6a
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Sat Mar 10 17:51:28 2012 -0800

    cook: error out on quant_index values outside [-63, 63] range.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit d7eabd50425a61b31e90c763a0c3e4316a725404
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Sat Mar 10 14:28:08 2012 -0800

    mpc: pad mpc_CC/SCF[] tables to allow for negative indices.
    
    MPC8 allows indices of mpc_CC up to -1, and mpc_SCF up to -6, thus pad
    the tables by that much on the left end.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 2440040c7bde23f295ef04b159a677b81749012f
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 10 22:43:14 2012 +0100

    vc1: add missing entries to ff_vc1_fps_nr.
    
    Fixes out of array read
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 8e9a0a3568d915387c35645ea7d85945b98d2197
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 10 22:36:15 2012 +0100

    mpc7: check subband index
    
    This fixes a overread
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit ecc31630f9a16ead4272a078c281afcb4db87f21
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 10 22:02:46 2012 +0100

    mjpegb: Detect changing nb of planes in interlaced video.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 50f4f272fe3f09d757f5255c722ac34a4740f969
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 10 21:12:41 2012 +0100

    indeo3: Fix out of reference reading with NULL blocks.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 442c3a8cb1785d74f8e2d7ab35b1862b7088436b
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Thu Mar 8 17:09:27 2012 -0800

    cook: expand dither_tab[], and make sure indexes into it don't overflow.
    
    Fixes overflows in accessing dither_tab[].
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit f77bfa837636a99a4034d31916a76f7d1688cf5a
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Sat Mar 10 11:57:17 2012 -0800

    xxan: protect against chroma LUT overreads.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 55188278169c3a1838334d7aa47a1f7a40741690
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Thu Mar 8 16:32:47 2012 -0800

    xxan: convert to bytestream2 API.
    
    Protects against overreads.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit f1279e286b00e99f343adb51e251f036a3df6f32
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Thu Mar 8 16:32:46 2012 -0800

    xxan: don't read before start of buffer in av_memcpy_backptr().
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit f7b57add8ee0cb234617ca1c86e2d334b50fdc38
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 10 08:04:34 2012 +0100

    cook: tighten the quant_index_table range further.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 1af9fdc3baa47596757da7c401d58710cef45c75
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 10 00:08:32 2012 +0100

    snow: reject unsupported chroma shifts.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 4ffe5e2aa5241f8da9afd2c8fbc854dcc916c5f9
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Wed Mar 7 16:29:23 2012 -0800

    huffyuv: add padding to classic (v1) huffman tables.
    
    We slightly overread the input buffer, so we require
    padding at the end of the buffer, as is documented in the
    get_bits API. Without padding, we'll read uninitialized
    data or beyond the end of the .rodata, which may crash.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 4c25269cedd042abcb823c42d33609564861c374
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Wed Mar 7 16:16:20 2012 -0800

    png: convert to bytestream2 API.
    
    Protects against overreads in the input buffer.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 83f15a1228895434a982c840b09edccd1c64e800
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Wed Feb 15 16:21:34 2012 -0800

    avs: fix infinite loop on end-of-stream.
    
    The codec would keep returning the last decoded frame if the stream
    contains B-frames, since it wouldn't clear that frame from the list of
    frames to be returned to the user.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit fd0be63049ed46660993d0550a4f0847a0b942ea
Author: Alex Converse <alex.converse@gmail.com>
Date:   Tue Mar 6 17:00:29 2012 -0800

    tiffdec: Prevent illegal memory access caused by recycled pointers.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit b4bccf3e4e58f6fe58043791ca09db01a4343fac
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Wed Mar 7 14:18:14 2012 -0800

    wma: fix off-by-one in array bounds check.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit e97efecec82ca8458a9bbd75a91ebf556abde362
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Wed Mar 7 13:48:41 2012 -0800

    dv: check buffer size before reading profile.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 37cc8600d0313838cab5b886b9d373e5819aa24f
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Tue Mar 6 13:45:32 2012 -0800

    cook: extend channel uncoupling tables so the full bit range is covered.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit cdf15771621bce7959b3e53b21426c5ba747e17b
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Tue Mar 6 15:58:35 2012 -0800

    roqvideo: convert to bytestream2 API.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 8febcb9fc178926687ee19d32d2b3150da899867
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Wed Feb 29 14:44:37 2012 -0800

    smc: port to bytestream2 API.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 1255eed533b4069db7f205601953ca54c0dc42c9
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Tue Mar 6 14:18:32 2012 -0800

    tgq: convert to bytestream2 API.
    
    This protects against input buffer overreads.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit e6ffd997cbc06426e75d3fa291b991866c84a79b
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Tue Feb 28 18:11:59 2012 -0800

    dca: prevent accessing static arrays with invalid indexes.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit cc5dd632cecc5114717d0b90f8c2be162b1c6ee8
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Tue Mar 6 16:08:10 2012 -0800

    raw: move buffer size check up.
    
    This way, it protects against overreads for 4bpp/2bpp content also.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit f1320dc3bed281bb2f3c5531c52b6a6246e2394a
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Tue Mar 6 20:08:17 2012 -0800

    lpcm: fix sample size calculation for 20bit LCPM.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit a93b572ae4f517ce0c35cf085167c318e9215908
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Tue Mar 6 17:24:20 2012 -0800

    smacker: error out if palette copy-with-offset overruns palette size.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit a55d5bdc6e28a2cfefc440d792de5cc4f02377e2
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Tue Mar 6 15:15:42 2012 -0800

    algmm: convert to bytestream2 API.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 6193ff68549ecbaf1a4d63a0e06964ec580ac620
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Tue Mar 6 10:27:05 2012 -0800

    error_resilience: initialize s->block_index[].
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 11b940a1a8e7e5d5b212935a3ce78aeda577f5f2
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Mon Mar 5 17:03:32 2012 -0800

    svq3: protect against negative quantizers.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit c23acbaed40101c677dfcfbbfe0d2c230a8e8f44
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Mon Mar 5 16:01:19 2012 -0800

    Don't use ff_cropTbl[] for IDCT.
    
    Results of IDCT can by far outreach the range of ff_cropTbl[], leading
    to overreads and potentially crashes.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 2254b559cbcfc0418135f09add37c0a5866b1981
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Mon Mar 5 12:26:42 2012 -0800

    swscale: make filterPos 32bit.
    
    Fixes overflows for large image sizes.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 0f13cc732b3752828890b8dff507615cfd454336
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Mar 6 19:13:55 2012 +0100

    diracdec: Correct the bytestream end pointer.
    
    This fixes some arith decoder overreads and a potential infinite loop.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 1007a805a486a1348a0543ac2dd99d823148d25c
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Mar 5 03:43:15 2012 +0100

    smc: Fix overread.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 263bb6edcf6b767006fcde315850d3a60b3fceed
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Mar 5 03:05:21 2012 +0100

    bit_depth_template: use av_clip_uint8 over crop_tab.
    
    This fixes some global out of array reads and wrong cliping.
    No speed difference meassurable under clang on i5
    also all important code paths on all important platforms should
    use SIMD.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit e75518e18d953080409711bab291d9501625e103
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Mon Mar 5 02:15:35 2012 +0100

    indeo3: move MV check up.
    
    This adds checking for modes >= 10.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit ccb76ad91f2b97009b06c22ae1b2e0234dbf26ca
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Mar 1 17:26:03 2012 +0100

    cook: check decouple values.
    
    This fixes a out of global array read in the cplscale* tables.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 33a183df46355e4b281517e14c9b3c7e2b558dcf
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Mar 4 23:12:58 2012 +0100

    indeo3: Fix overreading requant_tab.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 56ffa3fefb22605ac6507efa046ebddc38301521
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Mar 4 22:32:44 2012 +0100

    indeo3: Check motion vectors.
    
    Fixes overread of reference frame.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 52807022abf3204c3ae9fd6a1778a4d15e469b07
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Mar 4 16:38:20 2012 +0100

    pcm-mpeg: fix 10l condition flip
    
    Original issue Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    10l bug Found-by: nevcairiel
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 37fca5daa0bed1fdb651dfc1c38a3b47f79c58a5
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Mar 4 08:14:07 2012 +0100

    mmvideo: fix overreads of the input buffer.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 999d38f3a94eb963c073512e5dad7940456eb634
Author: Ronald S. Bultje <rsbultje-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Date:   Wed Feb 29 15:07:09 2012 -0800

    dsicinvideo: validate buffer offset before copying pixels.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable-LOOeJiBropLYtjvyW6yDsg@public.gmane.org
    
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 2b693546ad3a8ac16bdce0b9483dc8ae7b3fdb95
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Mar 4 07:09:00 2012 +0100

    truemotion2: check motion vectors for validity
    
    Fixes out of array read
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 39a3a53b66fcc115bd8d0bc0a70db66791eab854
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Mar 4 06:25:06 2012 +0100

    pngdec: validate length.
    
    Fixes out of array reading.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 8f1bb3d59850932d43a60472ff98c723268a3958
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Mar 4 00:13:52 2012 +0100

    wc4: fix out of chroma LUT reads
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit cd0cfdc0a74cbf45f0d00b65faaf3cf5bd93c016
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 3 23:55:16 2012 +0100

    pcm-mpeg: Check for valid bps.
    
    The code only supports 16 and 24 bps currently, 20bps causes
    out of array reads.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit f83687bc78bea7ede4859d363c24a28f0473a5db
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 3 21:03:11 2012 +0100

    mpegts: fix stack array overread in read_sl_header()
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 4a310a19dea268b541a099515d73fda04dc642e9
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 3 21:02:17 2012 +0100

    mpegts: prevent get_bits64() from reading nonsense at the end.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit d629f3edaa39b48ac92ac5e5ae8440e35805b792
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Mar 1 19:03:41 2012 +0100

    cook: check that category is smaller than 8
    
    This fixes some out of global array accesses of dither_tab.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Reviewed-by: Benjamin Larsson <benjamin@southpole.se>
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit e732d0f60872bf273eb56ef17b23a543fd74479f
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 3 07:43:32 2012 +0100

    mpeg-ts: fix handling of size=0 SL headers.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 70b5583baa3872b3d5399de555b8006777bf80c5
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 3 04:14:37 2012 +0100

    kvmc: Fix out of reference frame reads.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 81d4b3af81b52a79f11705ef02d3f48747047404
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 3 03:50:05 2012 +0100

    qpeg: fix overreads.
    
    qpeg should probably be changed to use the checked bytestream reader.
    But for now this fixes it and is significantly less work.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 4299dfa5ded84111231a456ad102f65f6f62649e
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sat Mar 3 03:37:52 2012 +0100

    qpeg: Fix out of array writes.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 1aa708988ac131cf7d5c8bd59aca256a7c974df9
Author: Alex Converse <alex.converse@gmail.com>
Date:   Fri Mar 2 10:13:07 2012 -0800

    mpegts: Pad the packet buffer in handle_packet().
    
    This allows it to be used with get_bits without the thread of overreads.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 4df369692ea8aee7094ac0f233cef8d1bee139a3
Author: Alex Converse <alex.converse@gmail.com>
Date:   Fri Mar 2 10:12:11 2012 -0800

    mpegts: Do not call read_sl_header() when no bytes remain in the buffer.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 689f65126be8a55e8a1e706cb56b19bb975c20ce
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 2 22:09:44 2012 +0100

    simple_idct: idct_4col_put: Fix out of array reads.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 422e3a74b9d783571bec775af64f75e4915c40cc
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 2 22:04:00 2012 +0100

    rawdec: fix input overread.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 9d87374ec0f382c8394ad511243db6980afa42af
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Thu Mar 1 15:44:25 2012 -0800

    amrwb: remove duplicate arguments from extrapolate_isf().
    
    Prevents warnings because the dst and src overlap (are the same) in the
    memcpy() inside the function.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit e7b43e8e84e48fccf64cdc62430cb8b5c69e804c
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 2 21:36:42 2012 +0100

    truemotion1: Check input buffer size against header size.
    
    Fixes overread.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit a3f5ee297a7cf9bf21646ec4858d614f36248ff7
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 2 21:35:58 2012 +0100

    mjpeg: Check for interlaced progressive frames
    
    Fixes null pointer dereference.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 0af48e29f55a4e5824e6f7157ac94cf8b210aa84
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 2 20:53:00 2012 +0100

    snow: check reference frame indices.
    
    Fixes NULL ptr dereference
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 154b8bb80029e71d562e8936164266300dd35a0e
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Thu Mar 1 13:51:21 2012 -0800

    amrwb: error out early if mode is invalid.
    
    Prevents using the invalid mode as an index in a static array, which
    would generate invalid reads.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 9c239f6026a170866a4a0c96908980ac2cfaa8b3
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Thu Mar 1 17:01:22 2012 -0800

    matroska: check buffer size for RM-style byte reordering.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 349b7977e408f18cff01ab31dfa66c8249b6584a
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Thu Mar 1 16:19:51 2012 -0800

    wma: fix invalid buffer size assumptions causing random overreads.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 8fdd93eaadc6ea2cbbe16d00d378a45e6c740b31
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 2 18:49:39 2012 +0100

    huffyuv: pad classic huffman tables so as to avoid bitreader overread.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 64c58f143604223fa02ad4f11b40fb128f72aae5
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 2 18:24:21 2012 +0100

    vc1: mquant is not allowed to be 0
    
    Fixes out of bounds read.
    Checked against SMPTE 421M-2006
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 71db86d53b5c6872cea31bf714a1a38ec78feaba
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Feb 17 13:35:10 2012 -0800

    h263dec: Disallow width/height changing with frame threads.
    
    Fixes CVE-2011-3937
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 2f6528537fdd88820f3a4683d5e595d7b3a62689
Author: Alex Converse <alex.converse@gmail.com>
Date:   Thu Mar 1 14:07:22 2012 -0800

    rv10/20: Fix a buffer overread caused by losing track of the remaining buffer size.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit e93d911e483ffcf3da3dd2cbac2895fa061d2f58
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 2 16:52:32 2012 +0100

    h263: fix zygo debug printing overreading.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit d964db5742f317ff6c6ed6cf3e168b5b38566069
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 2 16:44:49 2012 +0100

    wmadec: fix off by 1 error on the pow_tab index check.
    
    Fixes global out of array read.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit ec3cd74f2dab8e3e8234ccb994132b23d3098585
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 2 15:58:14 2012 +0100

    h261: check mtype.
    
    Fixes out of array read
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 7a7b1f5c4d4127ff78bed67e786d03560a9cc199
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Fri Mar 2 02:32:14 2012 +0100

    roqvideodec: improve end of input buffer check
    
    This fixes a out of array read.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 75d11b55d7c6f9417c047500171b8aa42b8b8f50
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Mar 1 22:19:36 2012 +0100

    vc1: avoid reading beyond the last line in vc1_draw_sprites()
    
    Fixes overread
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 0ce4fe482c27abfa7eac503a52fdc50b70ccd871
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Thu Mar 1 11:56:05 2012 -0800

    h264: error out on invalid bitdepth.
    
    Fixes invalid reads while initializing the dequant tables, which uses
    the bit depth to determine the QP table size.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit dc945b1fa8ae65a18116d2ba362871aeebc573b0
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Mar 1 19:56:57 2012 +0100

    eatgq: Pass error code from tgq_decode_mb() and let the caller fail.
    
    This fixes a over read.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 32f0c658283e2451add02a6ee5c719efa877a34c
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Mar 1 19:24:24 2012 +0100

    vc1: fix out of array reads in vc1_inv_trans_4x4_c()
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 80c702efeb7b4d9edaae52ed5d8dd081a2ccb64b
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Mar 1 19:18:34 2012 +0100

    vc1: fix out of array reads in vc1_inv_trans_4x8_c()
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit af796ba4b827a88912f9a9c59d1a57704a6fff38
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Mar 1 19:14:50 2012 +0100

    vc1: fix out of array reads in vc1_inv_trans_8x4_c()
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 63c9de6469005974288f4e4d89fc79a590e38c06
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Thu Mar 1 09:41:22 2012 -0800

    huffyuv: do not abort on unknown pix_fmt; instead, return an error.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit b2a7c017336b19afc045e8a7385999c1896d4b45
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Mar 1 16:16:13 2012 +0100

    mpc: Fix mpc_CC table and use.
    
    This is based on the reference implementation and fixes
    a global out of array read.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit b84211ac71ebed8ed0d8e3db26557f41f4a21e81
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Mar 1 15:55:31 2012 +0100

    mpc: Fix mpc_SCF use and content.
    
    This fixes a out of global array read.
    This change is based on the reference mpc imlementation.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit bd17a40a7e0eba21b5d27c67aff795e2910766e4
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Wed Feb 29 17:50:28 2012 -0800

    lcl: return negative error codes on decode_init() errors.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit fd88a257015f183f5ec3bff393a2f6cf7c117c02
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Mar 1 07:06:53 2012 +0100

    rv34dsp: avoid use of crop table for idct.
    
    Fixes out of array read.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 8263212e8659fed37a9ee77c15599610470b4ac5
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Mar 1 05:29:20 2012 +0100

    mpegaudiodec: Enable checked bitstream reader.
    
    It appears there are corner cases with damaged input that can lead
    to small overreads.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 436f866f92a9483717e376866783346bf8a00e58
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Mar 1 05:25:11 2012 +0100

    svq3dec: fix overread of the cliping table.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 882abda5a26ffb8e3d1c5852dfa7cdad0a291d2d
Author: Vitor Sessak <vitor1001@gmail.com>
Date:   Wed Feb 29 22:09:10 2012 +0100

    amrnbdec: check frame size before decoding.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org
    Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>

commit 8a9faf33f2b4f40afbc3393b2be49867cea0c92d
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Wed Feb 29 13:55:09 2012 -0800

    cscd: use negative error values to indicate decode_init() failures.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit d1604b3de96575195b219028e2c4f08b2259aa7d
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Tue Feb 28 18:48:27 2012 -0800

    h264: prevent overreads in intra PCM decoding.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit d7bce4a274c4fc7453cde2d1c5d8a7a5805718df
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Feb 29 21:14:17 2012 +0100

    dca: dont overread dca_default_coeffs.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 51db9a97e9edde4c80218d194731e187ea7dcba8
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Feb 29 20:47:47 2012 +0100

    dca: Check scale_sum.
    
    Fixes a out of array read.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit d6bc273bac45d6c28e5ec00103268a6fba16f304
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Feb 29 18:09:51 2012 +0100

    dca: Check LFEScaleIndex.
    
    Its not clear from the spec what to do with values larger than 127
    so iam opting for the safe side and ask for a sample.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 07a180972fb369bb59bf6d4f8edb4598c51e80d2
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Tue Feb 28 19:00:48 2012 -0800

    vmnc: return error on decode_init() failure.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 78e9852a2e3b198ecd69ffa0deab3fa22a8e5378
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Tue Feb 28 17:04:33 2012 -0800

    rpza: error out on buffer overreads.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit e54ae60e46f737b8e9a96548971091f7ab6b8f7c
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Tue Feb 28 19:00:39 2012 -0800

    qtrle: return error on decode_init() failure.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 791de61bbb0d2bceb1037597b310e2a4a94494fd
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Tue Feb 28 18:21:31 2012 -0800

    swscale: fix another integer overflow.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 6aca18a9a0b570b61d75ef351d3ca6bb104c04db
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Feb 29 06:21:44 2012 +0100

    vmnc: Fail if bpp is not recognized instead of crashing.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit c2500635235d809e0c0ac526a7e13072ab7c8900
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Feb 29 06:20:22 2012 +0100

    get_buffers: Check that pix_fmt is not NONE.
    
    This is somewhat redundant as no decoder should call get_buffer() with such argument.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 8534881a389044ec51adabcf979616b4875ac072
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Feb 29 06:10:17 2012 +0100

    alsdec: Check that quantized parcor coeffs are within range.
    
    ALS spec:
    	11.6.3.1.1 Quantization and encoding of parcor coefficients
    	...
    	In all cases the resulting quantized values ak are restricted to the range [-64,63].
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 8bc396fc0e8769a056375c1c211f389ce0e3ecc5
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Thu Feb 23 11:19:33 2012 -0800

    vp56: error out on invalid stream dimensions.
    
    Prevents crashes when playing corrupt vp5/6 streams.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 51defefa85508219fac594273e85313b41722b5c
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Feb 28 20:08:47 2012 +0100

    cook: avoid out of global array read.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit bb6d5411e1e1a8e0608b1af1c4addee654dcbac5
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Tue Feb 28 16:13:46 2012 -0800

    asf: don't seek back on EOF.
    
    Seeking back on EOF will reset the EOF flag, causing us to re-enter
    the loop to find the next marker in the ASF file, thus potentially
    causing an infinite loop.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 6e57a02b9f639af53acfa9fc742c1341400818f8
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Fri Feb 17 12:21:22 2012 -0800

    asf: error out on ridiculously large minpktsize values.
    
    They cause various issues further down in demuxing.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit f929abd0c3643b28a9552512d698cf61ad4d08fa
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Feb 28 22:53:20 2012 +0100

    adpcm_xa: Check filter validity.
    
    Fixes out of global array read.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit bbeb29133b55b7256d18f5aaab8b5c8e919a173a
Author: Alex Converse <alex.converse@gmail.com>
Date:   Tue Feb 28 11:50:22 2012 -0800

    adpcm: Clip step_index values read from the bitstream at the beginning of each frame.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

commit 934cd18a43151ba4b819d9270d539cdb26f6e079
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Tue Feb 28 11:35:36 2012 -0800

    oma: don't read beyond end of leaf_table.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit fc9bc08dca9ac32526251e19fcf738d23b8c68d1
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Tue Feb 28 10:22:28 2012 -0800

    Indeo3: fix crashes on corrupt bitstreams.
    
    Splits at borders of cells are invalid, since it leaves one of the
    cells with a width/height of zero. Also, propagate errors on buffer
    allocation failures, so we don't continue decoding (which crashes).
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 4f5d1468f55eb87bce84845c4e62242c791268f5
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Feb 28 18:41:44 2012 +0100

    omadec: Fix wrong number of array elements.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit ddd86a2924b9bc67c406cd66ebb1fc8915cd60f7
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Feb 28 18:41:01 2012 +0100

    ffmpeg: Fix division by 0 due to invalid timebase
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 8b1cd25ca7e64e6128fa2902d78e48bfeeec9786
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Feb 28 07:19:37 2012 +0100

    pmpdec: Check for zero audio packets.
    
    This fixes a division by 0.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 6c4c27adb61b2881a94ce5c7d97ee1c8adadb5fe
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Fri Feb 24 16:27:53 2012 -0800

    kgv1: release reference picture on size change.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit cd40c31ee9ad2cca6f3635950b002fd46be07e98
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Fri Feb 24 16:12:18 2012 -0800

    matroska: don't overwrite string values until read/alloc was succesful.
    
    This prevents certain tags with a default value assigned to them (as per
    the EBML syntax elements) from ever being assigned a NULL value. Other
    parts of the code rely on these being non-NULL (i.e. they don't check for
    NULL before e.g. using the string in strcmp() or similar), and thus in
    effect this prevents crashes when reading of such specific tags fails,
    either because of low memory or because of targeted file corruption.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 830f70442a87a31f7c75565e9380e3caf8333b8a
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Fri Feb 24 14:11:04 2012 -0800

    fraps: release reference buffer on pix_fmt change.
    
    Prevents crash when trying to copy from a non-existing plane in e.g.
    a RGB32 reference image to a YUV420P target image
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 33cd32b389864f2437c94e6fd7dc109ff5f0ed06
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Thu Dec 29 09:07:32 2011 -0800

    kgv1: use avctx->get/release_buffer().
    
    Also fixes crashes on corrupt bitstreams.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit be129271eac04f91393bf42a490ec631e1a9abea
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Thu Feb 23 16:09:36 2012 -0800

    lcl: error out if uncompressed input buffer is smaller than framesize.
    
    This prevents crashes when trying to read beyond the end of the buffer
    while decoding frame data.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit ab492ca2ab105aeb24d955f3f03756bdb3139ee1
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Thu Feb 23 12:22:40 2012 -0800

    mjpeg: abort decoding if packet is too large.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 46b3fbc30b7aaf7fdd52391734cfd6d93af8720a
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Fri Feb 17 12:54:37 2012 -0800

    golomb: use HAVE_BITS_REMAINING() macro to prevent infloop on EOF.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 447363870f2f91e125e07ac2d0820359a5d86b06
Author: Alex Converse <alex.converse@gmail.com>
Date:   Thu Feb 23 10:47:50 2012 -0800

    tiff: Prevent overreads in the type_sizes array.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 6d11057006b30ee6737a77f712cdd6a8f7e6c3df
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Thu Feb 23 15:35:24 2012 -0800

    apetag: propagate errors.
    
    Fixes crashes if reading the tag value fails.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 31632e73f47d25e2077fce729571259ee6354854
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Thu Feb 23 11:53:27 2012 -0800

    swf: check return values for av_get/new_packet().
    
    Prevents crashers when using the packet if allocation failed.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 1d8c4af396b6ed84c84b5ebf0bf1163c4a7a3017
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Wed Feb 22 16:48:38 2012 -0800

    swscale: take first/lastline over/underflows into account for MMX.
    
    Fixes crashes for extremely large resizes (several 100-fold).
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 491865b57db5fbb3053c221fd6d94b0435cad105
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Wed Feb 22 16:47:14 2012 -0800

    swscale: fix underflows in firstline calculations for extreme resizes.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 19a65b5be47944c607a9e979edb098924d95f2e4
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Wed Feb 22 16:46:31 2012 -0800

    swscale: fix overflows in filterPos[] calculation for large sizes.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 2b83e8b7005d531bc78b0fd4f699e9faa54ce9bb
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Wed Feb 22 12:19:52 2012 -0800

    truemotion2: error out if the huffman tree has no nodes.
    
    This prevents crashers and errors further down when reading nodes in the
    empty tree.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit aac07a7a4c2c7a4a29cf6dbc88c1b9fdd191b99d
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Wed Feb 22 11:33:24 2012 -0800

    rm: prevent infinite loops for index parsing.
    
    Specifically, prevent jumping back in the file for the next index, since
    this can lead to infinite loops where we jump between indexes referring
    to each other, and don't read indexes that don't fit in the file.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 1cd9a6154bc1ac1193c703cea980ed21c3e53792
Author: Alex Converse <alex.converse@gmail.com>
Date:   Wed Feb 22 11:05:42 2012 -0800

    aac: fix infinite loop on end-of-frame with sequence of 1-bits.
    
    Based-on-work-by: Ronald S. Bultje <rsbultje@gmail.com>
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit e30b3e59a4f3004337cb1623b2aac988ce52b93f
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Tue Feb 21 10:36:27 2012 -0800

    rmdec: when using INT4 deinterleaving, error out if sub_packet_h <= 1.
    
    We read sub_packet_h / 2 packets per line of data (during deinterleaving),
    which equals zero if sub_packet_h <= 1, thus causing us to not read any
    data, leading to an infinite loop.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit c742ab4e81bb9dcabfdab006d6b8b09a5808c4ce
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Fri Feb 17 14:18:22 2012 -0800

    vc1parse: call vc1_init_common().
    
    The parser uses VLC tables initialized in vc1_common_init(), therefore
    we should call this function on parser init also.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 9d3050d3e95e307ebc34a943484c7add838d1220
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Fri Feb 17 16:57:00 2012 -0800

    wma: don't return 0 on invalid packets.
    
    Return 0 means "please return the same data again", i.e. it causes an
    infinite loop. Instead, return an error.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 41afac7f7a67c634c86b1d17fc930e9183d4aaa0
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Fri Feb 17 12:21:18 2012 -0800

    asf: prevent packet_size_left from going negative if hdrlen > pktlen.
    
    This prevents failed assertions further down in the packet processing
    where we require non-negative values for packet_size_left.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 74699ac8c8b562e9f8d26e21482b89585365774a
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Fri Feb 17 16:27:36 2012 -0800

    mjpegb: don't return 0 at the end of frame decoding.
    
    Return 0 indicates "please return the same data again", i.e. it causes
    an infinite loop. Instead, return that we consumed the buffer if we
    finished decoding succesfully, or return an error if an error occurred.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 32a659c758bf2ddd8ad48f18c06fa77444341286
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Fri Feb 17 15:51:27 2012 -0800

    aiff: don't skip block_align==0 check on COMM-after-SSND files.
    
    This prevents SIGFPEs when using block_align for divisions.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit ce7aee9b733134649a6ce2fa743e51733f33e67e
Author: Alex Converse <alex.converse@gmail.com>
Date:   Fri Feb 17 14:13:40 2012 -0800

    dpcm: ignore extra unpaired bytes in stereo streams.
    
    Fixes: CVE-2011-3951
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

commit 3e13005cac6e076053276b515f5fcf59a3f4b65d
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Fri Feb 17 15:20:27 2012 -0800

    mp3on4: require a minimum framesize.
    
    If bufsize < headersize, init_get_bits() will be called with a negative
    number, causing it to fail and any subsequent call to get_bits() will
    crash because it reads from a NULL pointer.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 84c202cc37024bd78261e4222e46631ea73c48dd
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Fri Feb 17 15:00:47 2012 -0800

    huffyuv: error out on bit overrun.
    
    On EOF, get_bits() will continuously return 0, causing an infinite
    loop.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit af468015d972c0dec5c8c37b2685ffa5cbe4ae87
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Fri Feb 17 12:28:26 2012 -0800

    als: prevent infinite loop in zero_remaining().
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 941fc1ea1ed7f7d99a8b9e2607b41f2f2820394a
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Fri Feb 17 12:10:33 2012 -0800

    cook: prevent div-by-zero if channels is zero.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 52e4018be47697a60f4f18f83551766df31f5adf
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Wed Feb 15 09:52:11 2012 -0800

    flac: fix infinite loops on all-zero input or end-of-stream.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit c6643fddba73560f26f90d327c84d8832222a720
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Tue Feb 14 11:50:57 2012 -0800

    golomb: avoid infinite loop on all-zero input (or end of buffer).
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit ae591aeea58d64399b8281be31dacec0de85ae04
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Tue Feb 14 12:40:19 2012 -0800

    vc1: prevent using last_frame as a reference for I/P first frame.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit dae2ce361a2b5fd9be1d43e5e8c00bdbc5f03e3d
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Sat Feb 11 08:42:28 2012 -0800

    swscale: enforce a minimum filtersize.
    
    At very small dimensions, this calculation could lead to zero-sized
    filters, which leads to uninitialized output, zero-sized allocations,
    loop overflows in SIMD that uses do{..}while(i++<filtersize); instead
    of for(i=0;i<filtersize;i++){..} and several other similar failures.
    Therefore, require a minimum filtersize of 1.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 7416d610362807848236ceff1bc6740dbc82842d
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Fri Feb 10 10:51:43 2012 -0800

    tta: error out if samplerate is zero.
    
    Prevents a division by zero later on.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 9e1db721c4329f4ac166a0bcc002c8d75f831aba
Author: Alex Converse <alex.converse@gmail.com>
Date:   Thu Feb 9 20:21:47 2012 -0800

    svq3: Prevent illegal reads while parsing extradata.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

commit 45b7bd7c53b41bc5ff6fc2158831f2b1b1256113
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Thu Feb 9 22:57:01 2012 -0800

    h264: disallow constrained intra prediction modes for luma.
    
    Conversion of the luma intra prediction mode to one of the constrained
    ("alzheimer") ones can happen by crafting special bitstreams, causing
    a crash because we'll call a NULL function pointer for 16x16 block intra
    prediction, since constrained intra prediction functions are only
    implemented for chroma (8x8 blocks).
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    CC: libav-stable@libav.org

commit 29034e65039ef6b1854ceeb76ffe4092992d9fd5
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Feb 7 23:43:10 2012 +0100

    ffmpeg: Add threshold to discard crazy/damaged timestamps.
    
    The added tests are limited to the case where timestamp discontinuities
    are not allowed. The default is 30 hours which is arbitrarily picked and
    quite conservative.
    This prevents a out of memory condition due to duplicating a frame
    millions of times.
    
    Found-by:  Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 0ab3687924457cb4fd81897bd39ab3cc5b699588
Author: Alex Converse <alex.converse@gmail.com>
Date:   Thu Feb 9 17:11:55 2012 -0800

    dv: Fix small overread in audio frequency table.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

commit fb90785e98ac405198c0ca9fec133227f6d82826
Author: Ronald S. Bultje <rsbultje@gmail.com>
Date:   Tue Jan 31 15:17:59 2012 -0800

    vp8: always update next_framep[] before returning from decode_frame().
    
    Also slightly move around code not allocate a new frame if we won't
    decode it. This prevents us from putting undecoded frames in frame
    pointers, which (in mt decoding) other threads will use and wait on
    as references, causing a deadlock (if we skipped decoding) or a crash
    (if we didn't initialized next_framep[] at all).
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

commit 29a20ac4a19df5acc0eef306ca5a737778a31358
Author: Alex Converse <alex.converse@gmail.com>
Date:   Fri Feb 3 10:43:21 2012 -0800

    movdec: Avoid av_malloc(0) in stss
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

commit 5cd8afee99c83b62e1474f122d947de7e4ad9ff5
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Jan 29 05:04:25 2012 +0100

    diracdec: Check for negative quants which would cause out of array reads.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 006508032057824a371bec4e629b66f8cbb26c47
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Jan 29 04:39:37 2012 +0100

    proresdec: Fix read via negative index in a global array.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 034b03e7a0e8e4f8f66c82b736f2c0aa7c063ec0
Author: Mans Rullgard <mans@mansr.com>
Date:   Tue Jan 31 10:20:33 2012 -0800

    ac3: Do not read past the end of ff_ac3_band_start_tab.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Alex Converse <alex.converse@gmail.com>

commit 2d1c0dea5f6b91bec7f5fa53ec050913d851e366
Author: Alex Converse <alex.converse@gmail.com>
Date:   Thu Jan 26 15:08:26 2012 -0800

    dv: Fix small stack overread related to CVE-2011-3929 and CVE-2011-3936.
    
    Found with asan.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Alex Converse <alex.converse@gmail.com>

commit 5a396bb3a66a61a68b80f2369d0249729bf85e04
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Jan 24 17:51:40 2012 +0100

    dv: Fix null pointer dereference due to ach=0
    
    dv: Fix null pointer dereference due to ach=0
    
    Fixes part2 of CVE-2011-3929
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
    Signed-off-by: Alex Converse <alex.converse@gmail.com>

commit 635bcfccd439480003b74a665b5aa7c872c1ad6b
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Jan 24 17:48:23 2012 +0100

    dv: check stype
    
    dv: check stype
    
    Fixes part1 of CVE-2011-3929
    Possibly fixes part of CVE-2011-3936
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
    Signed-off-by: Alex Converse <alex.converse@gmail.com>

commit 9729f140ae073f1df2041b6c5fd2068592eb9c48
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Sun Jan 29 03:38:58 2012 +0100

    diracdec: Fix integer overflow leading to out of global array read.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Reviewed-by: Paul B Mahol <onemda@gmail.com>
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 48f1e5212c90b511c90fa0449655abb06a9edda2
Author: Alex Converse <alex.converse@gmail.com>
Date:   Fri Jan 27 14:24:07 2012 -0800

    wmadec: Verify bitstream size makes sense before calling init_get_bits.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

commit dfa37fe8a3d9243dd339d94befa065e2c90b29e6
Author: Alex Converse <alex.converse@gmail.com>
Date:   Fri Jan 27 15:50:24 2012 -0800

    mpeg12: Pad framerate tab to 16 entries.
    
    There are many places where we read an unchecked 4-bit index into it.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

commit a02e8df973f5478ec82f4c507f5b5b191a5ecb6b
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Jan 25 23:23:35 2012 +0100

    kgv1dec: Increase offsets array size so it is large enough.
    
    Fixes CVE-2011-3945
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
    (cherry picked from commit 807a045ab7f51993a2c1b3116016cbbd4f3d20d6)
    
    Signed-off-by: Alex Converse <alex.converse@gmail.com>

commit 386741f887714d3e46c9e8fe577e326a7964037b
Author: Alex Converse <alex.converse@gmail.com>
Date:   Thu Jan 26 17:30:49 2012 +0100

    kmvc: Check palsize.
    
    Fixes: CVE-2011-3952
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Based on fix by Michael Niedermayer

commit c898431ca5ef2a997fe9388b650f658fb60783e5
Author: Alex Converse <alex.converse@gmail.com>
Date:   Thu Jan 26 17:23:09 2012 -0800

    nsvdec: Propagate errors
    
    Related to CVE-2011-3940.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

commit 8fd8a48263ff1437f9d02d7e78dc63efb9b5ed3a
Author: Alex Converse <alex.converse@gmail.com>
Date:   Thu Jan 26 17:21:46 2012 -0800

    nsvdec: Be more careful with av_malloc().
    
    Check results for av_malloc() and fix an overflow in one call.
    
    Related to CVE-2011-3940.
    
    Based in part on work from Michael Niedermayer.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

commit 6a89b41d9780325ba6d89a37f2aeb925aa68e6a3
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Jan 24 22:20:26 2012 +0100

    nsvdec: Fix use of uninitialized streams.
    
    Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write)
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
    (cherry picked from commit 5c011706bc752d34bc6ada31d7df2ca0c9af7c6b)
    
    Signed-off-by: Alex Converse <alex.converse@gmail.com>

commit b57d262412204e54a7ef8fa1b23ff4dcede622e5
Author: Alex Converse <alex.converse@gmail.com>
Date:   Wed Jan 25 13:39:24 2012 -0800

    mjpegbdec: Fix overflow in SOS.
    
    Based in part by a fix from Michael Niedermayer <michaelni@gmx.at>
    
    Fixes CVE-2011-3947
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

commit a8ae00b68cb9895f4a819950dbc740bc8fc7c1e1
Author: Alex Converse <alex.converse@gmail.com>
Date:   Wed Jan 25 15:27:11 2012 -0800

    qdm2: Check data block size for bytes to bits overflow.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    
    CC: libav-stable@libav.org
    (cherry picked from commit dac56d9ce01eb9963f28f26b97a81db5cbd46c1c)
    
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 88d84dd8eacd4edfe29f12209f10733d631ca5ae
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Jan 25 04:51:06 2012 +0100

    dv: Fix out of array read
    
    Fixes part of CVE-2011-3936
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 9decfc17bb76da34734296048d390b176abf404c
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Jan 26 19:31:01 2012 +0100

    h264_sei: Fix infinite loop.
    
    Fixes not yet fixed parts of CVE-2011-3946.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 9adf25c1cf78dbf1d71bf386c49dc74cb8a60df0
Author: Alex Converse <alex.converse@gmail.com>
Date:   Wed Jan 25 16:12:42 2012 -0800

    smacker: Sanity check huffman tables found in the headers.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    
    CC: libav-stable@libav.org

commit dac56d9ce01eb9963f28f26b97a81db5cbd46c1c
Author: Alex Converse <alex.converse@gmail.com>
Date:   Wed Jan 25 15:27:11 2012 -0800

    qdm2: Check data block size for bytes to bits overflow.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    
    CC: libav-stable@libav.org

commit 70dba1e3c856e86e1780c0a324abbce034f0c7da
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Jan 26 17:30:49 2012 +0100

    kvmc: Check palsize.
    
    Fixes: CVE-2011-3952
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 5af569aa30b93f56344ea540936eb671760f568c
Author: Alex Converse <alex.converse@gmail.com>
Date:   Wed Jan 25 14:34:21 2012 -0800

    matroskadec: Pad AAC extradata.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    
    CC: libav-stable@libav.org
    (cherry picked from commit d2ee8c17793201ce969afd1f433ba1580c143cd2)
    
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 92115bb685914cbfeb02fed26d5acd50dea03d7e
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Jan 26 17:04:51 2012 +0100

    dpcm: Round output buffer size up.
    
    Fixes: CVE-2011-3951
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit ddf0c1d86ad8e1df5ab3265206aef493a1bdc813
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Jan 26 16:51:01 2012 +0100

    diracdec: Check num_refs.
    
    Fixes: CVE-2011-3950
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit e2291ea1534d17306f685b8c8abc8585bbed87bf
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu Jan 26 15:41:43 2012 +0100

    diracdec: Check dirac_unpack_idwt_params parameters before storing them.
    
    Fixes CVE-2011-3949
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 01e5e97026cf0b344abafca22b0336a2c58b2a33
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Jan 25 23:55:21 2012 +0100

    mjpegbdec: Fix incorrect bitstream buffer size.
    
    Fixes CVE-2011-3947
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit d2ee8c17793201ce969afd1f433ba1580c143cd2
Author: Alex Converse <alex.converse@gmail.com>
Date:   Wed Jan 25 14:34:21 2012 -0800

    matroskadec: Pad AAC extradata.
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    
    CC: libav-stable@libav.org

commit 807a045ab7f51993a2c1b3116016cbbd4f3d20d6
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Jan 25 23:23:35 2012 +0100

    kgv1dec: Increase offsets array size so it is large enough.
    
    Fixes CVE-2011-3945
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 1285baaab550e3e761590ef6dfb1d9bd9d1332e4
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Jan 25 22:28:57 2012 +0100

    smackerdec: Check that the last indexes are within the table.
    
    Fixes CVE-2011-3944
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit d78bb1a4b2a3a415b68e4e6dd448779eccec64e3
Author: Alex Converse <alex.converse@gmail.com>
Date:   Tue Jan 24 18:43:43 2012 -0800

    wma: Clip WMA1 and WMA2 frame length to 11 bits.
    
    The MDCT buffers in the decoder are only sized for up to 11 bits. The
    reverse engineered documentation for WMA1/2 headers say that that for
    all samplerates above 32kHz 11 bits are used. 12 and 13 bit support
    were added for WMAPro. I was unable to make any Microsoft tools generate
    a test file at a samplerate above 48kHz.
    
    Discovered by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    
    CC: libav-stable@libav.org

commit 247d30a7dba6684ccce4508424f35fd58465e535
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Jan 25 21:10:29 2012 +0100

    vp3: Copy all 3 frames for thread updates.
    
    This fixes a double release of the current frame on deinit.
    Fixes CVE-2011-3934
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 5cb57a16ede71d913384a0b3036a2c6df5da5e43
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Jan 24 18:51:40 2012 +0100

    dv: Fix null pointer dereference due to ach=0
    
    Fixes part2 of CVE-2011-3929
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit f9de136b17bc72ff02f39c6a53756d72bbc4bd15
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Jan 24 18:48:23 2012 +0100

    dv: check stype
    
    Fixes part1 of CVE-2011-3929
    Possibly fixes part of CVE-2011-3936
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Reviewed-by: Roman Shaposhnik <roman@shaposhnik.org>
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 668494acd8b20f974c7722895d4a6a14c1005f1e
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Jan 25 06:32:05 2012 +0100

    ffmpeg: add image size check to codec_get_buffer()
    
    Fixes CVE-2011-3935
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 59e95fa4a8844d2abe7ddd7b8d269ea8d8eea17d
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Wed Jan 25 01:30:43 2012 +0100

    h263dec: Disallow width/height changing with frame threads.
    
    Fixes CVE-2011-3937
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit 5c011706bc752d34bc6ada31d7df2ca0c9af7c6b
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Jan 24 22:20:26 2012 +0100

    nsvdec: Fix use of uninitialized streams.
    
    Fixes CVE-2011-3940 (Out of bounds read resulting in out of bounds write)
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

commit c77be3a35a0160d6af88056b0899f120f2eef38e
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Tue Jan 24 20:54:27 2012 +0100

    error concealment: initialize block index.
    
    Fixes CVE-2011-3941 (out of bounds write)
    
    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>