Merge remote-tracking branch 'qatar/master'

* qatar/master: (29 commits)
  amrwb: remove duplicate arguments from extrapolate_isf().
  amrwb: error out early if mode is invalid.
  h264: change underread for 10bit QPEL to overread.
  matroska: check buffer size for RM-style byte reordering.
  vp8: disable mmx functions with sse/sse2 counterparts on x86-64.
  vp8: change int stride to ptrdiff_t stride.
  wma: fix invalid buffer size assumptions causing random overreads.
  Windows Media Audio Lossless decoder
  rv10/20: Fix slice overflow with checked bitstream reader.
  h263dec: Disallow width/height changing with frame threads.
  rv10/20: Fix a buffer overread caused by losing track of the remaining buffer size.
  rmdec: Honor .RMF tag size rather than assuming 18.
  g722: Fix the QMF scaling
  r3d: don't set codec timebase.
  electronicarts: set timebase for tgv video.
  electronicarts: parse the framerate for cmv video.
  ogg: don't set codec timebase
  electronicarts: don't set codec timebase
  avs: don't set codec timebase
  wavpack: Fix an integer overflow
  ...

Conflicts:
	libavcodec/arm/vp8dsp_init_arm.c
	libavcodec/fraps.c
	libavcodec/h264.c
	libavcodec/mpeg4videodec.c
	libavcodec/mpegvideo.c
	libavcodec/msmpeg4.c
	libavcodec/pnmdec.c
	libavcodec/qpeg.c
	libavcodec/rawenc.c
	libavcodec/ulti.c
	libavcodec/vcr1.c
	libavcodec/version.h
	libavcodec/wmalosslessdec.c
	libavformat/electronicarts.c
	libswscale/ppc/yuv2rgb_altivec.c
	tests/ref/acodec/g722
	tests/ref/fate/ea-cmv

Merged-by: Michael Niedermayer <michaelni@gmx.at>

1 files changed, 19 insertions, 3 deletions

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 690eac6499..882660e668 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -1921,15 +1921,31 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
                 if (!track->audio.pkt_cnt) {
                     if (track->audio.sub_packet_cnt == 0)
                         track->audio.buf_timecode = timecode;
-                    if (st->codec->codec_id == CODEC_ID_RA_288)
+                    if (st->codec->codec_id == CODEC_ID_RA_288) {
+                        if (size < cfs * h / 2) {
+                            av_log(matroska->ctx, AV_LOG_ERROR,
+                                   "Corrupt int4 RM-style audio packet size\n");
+                            return AVERROR_INVALIDDATA;
+                        }
                         for (x=0; x<h/2; x++)
                             memcpy(track->audio.buf+x*2*w+y*cfs,
                                    data+x*cfs, cfs);
-                    else if (st->codec->codec_id == CODEC_ID_SIPR)
+                    } else if (st->codec->codec_id == CODEC_ID_SIPR) {
+                        if (size < w) {
+                            av_log(matroska->ctx, AV_LOG_ERROR,
+                                   "Corrupt sipr RM-style audio packet size\n");
+                            return AVERROR_INVALIDDATA;
+                        }
                         memcpy(track->audio.buf + y*w, data, w);
-                    else
+                    } else {
+                        if (size < sps * w / sps) {
+                            av_log(matroska->ctx, AV_LOG_ERROR,
+                                   "Corrupt generic RM-style audio packet size\n");
+                            return AVERROR_INVALIDDATA;
+                        }
                         for (x=0; x<w/sps; x++)
                             memcpy(track->audio.buf+sps*(h*x+((h+1)/2)*(y&1)+(y>>1)), data+x*sps, sps);
+                    }
 
                     if (++track->audio.sub_packet_cnt >= h) {
                         if (st->codec->codec_id == CODEC_ID_SIPR)