--- /dev/null
+gst-ffmpeg: aacdec: check channel count
+
+Prevent out of array accesses
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit 96f452ac647dae33c53c242ef3266b65a9beafb6)
+
+Upstream-Status: Backport
+
+Signed-off-by: Yue Tao <yue.tao@windriver.com>
+---
+ libavcodec/aacdec.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c
+index 239153a..6c17c33 100644
+--- a/gst-libs/ext/libav/libavcodec/aacdec.c
++++ b/gst-libs/ext/libav/libavcodec/aacdec.c
+@@ -914,6 +914,11 @@ static av_cold int aac_decode_init(AVCodecContext *avctx)
+ }
+ }
+
++ if (avctx->channels > MAX_CHANNELS) {
++ av_log(avctx, AV_LOG_ERROR, "Too many channels\n");
++ return AVERROR_INVALIDDATA;
++ }
++
+ AAC_INIT_VLC_STATIC( 0, 304);
+ AAC_INIT_VLC_STATIC( 1, 270);
+ AAC_INIT_VLC_STATIC( 2, 550);
+--
+1.7.5.4
+
--- /dev/null
+From a99aff4e4bbef8e64b51f267cd1769214e1b4e80 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni@gmx.at>
+Date: Fri, 30 Aug 2013 23:40:47 +0200
+Subject: [PATCH] avcodec/dsputil: fix signedness in sizeof() comparissions
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit 454a11a1c9c686c78aa97954306fb63453299760)
+
+Upstream-Status: Backport
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/dsputil.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/dsputil.c b/libavcodec/dsputil.c
+index 53dc2eb..6264832 100644
+--- a/gst-libs/ext/libav/libavcodec/dsputil.c
++++ b/gst-libs/ext/libav/libavcodec/dsputil.c
+@@ -1912,7 +1912,7 @@ void ff_set_cmp(DSPContext* c, me_cmp_func *cmp, int type){
+
+ static void add_bytes_c(uint8_t *dst, uint8_t *src, int w){
+ long i;
+- for(i=0; i<=w-sizeof(long); i+=sizeof(long)){
++ for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){
+ long a = *(long*)(src+i);
+ long b = *(long*)(dst+i);
+ *(long*)(dst+i) = ((a&pb_7f) + (b&pb_7f)) ^ ((a^b)&pb_80);
+@@ -1937,7 +1937,7 @@ static void diff_bytes_c(uint8_t *dst, uint8_t *src1, uint8_t *src2, int w){
+ }
+ }else
+ #endif
+- for(i=0; i<=w-sizeof(long); i+=sizeof(long)){
++ for(i=0; i<=w-(int)sizeof(long); i+=sizeof(long)){
+ long a = *(long*)(src1+i);
+ long b = *(long*)(src2+i);
+ *(long*)(dst+i) = ((a|pb_80) - (b&pb_7f)) ^ ((a^b^pb_80)&pb_80);
+--
+1.7.5.4
+
--- /dev/null
+gst-ffmpeg: avcodec/parser: reset indexes on realloc failure
+
+Fixes Ticket2982
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit f31011e9abfb2ae75bb32bc44e2c34194c8dc40a)
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+
+Upstream-Status: Backport
+
+Signed-off-by: Yue Tao <yue.tao@windriver.com>
+
+---
+ libavcodec/parser.c | 10 +++++++---
+ 1 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/libavcodec/parser.c b/libavcodec/parser.c
+index 2c6de6e..66eca06 100644
+--- a/gst-libs/ext/libav/libavcodec/parser.c
++++ b/gst-libs/ext/libav/libavcodec/parser.c
+@@ -241,8 +241,10 @@ int ff_combine_frame(ParseContext *pc, int next, const uint8_t **buf, int *buf_s
+ if(next == END_NOT_FOUND){
+ void* new_buffer = av_fast_realloc(pc->buffer, &pc->buffer_size, (*buf_size) + pc->index + FF_INPUT_BUFFER_PADDING_SIZE);
+
+- if(!new_buffer)
++ if(!new_buffer) {
++ pc->index = 0;
+ return AVERROR(ENOMEM);
++ }
+ pc->buffer = new_buffer;
+ memcpy(&pc->buffer[pc->index], *buf, *buf_size);
+ pc->index += *buf_size;
+@@ -255,9 +257,11 @@ int ff_combine_frame(ParseContext *pc, int next, const uint8_t **buf, int *buf_s
+ /* append to buffer */
+ if(pc->index){
+ void* new_buffer = av_fast_realloc(pc->buffer, &pc->buffer_size, next + pc->index + FF_INPUT_BUFFER_PADDING_SIZE);
+-
+- if(!new_buffer)
++ if(!new_buffer) {
++ pc->overread_index =
++ pc->index = 0;
+ return AVERROR(ENOMEM);
++ }
+ pc->buffer = new_buffer;
+ if (next > -FF_INPUT_BUFFER_PADDING_SIZE)
+ memcpy(&pc->buffer[pc->index], *buf,
+--
+1.7.5.4
+
--- /dev/null
+gst-ffmpeg: avcodec/rpza: Perform pointer advance and checks before
+ using the pointers
+
+Fixes out of array accesses
+Fixes Ticket2850
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit 3819db745da2ac7fb3faacb116788c32f4753f34)
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+
+Upstream-Status: Backport
+
+Singed-off-by: Yue Tao <yue.tao@windriver.com>
+
+---
+ libavcodec/rpza.c | 8 ++++----
+ 1 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c
+index 635b406..f291a95 100644
+--- a/gst-libs/ext/libav/libavcodec/rpza.c
++++ b/gst-libs/ext/libav/libavcodec/rpza.c
+@@ -83,7 +83,7 @@ static void rpza_decode_stream(RpzaContext *s)
+ unsigned short *pixels = (unsigned short *)s->frame.data[0];
+
+ int row_ptr = 0;
+- int pixel_ptr = 0;
++ int pixel_ptr = -4;
+ int block_ptr;
+ int pixel_x, pixel_y;
+ int total_blocks;
+@@ -139,6 +139,7 @@ static void rpza_decode_stream(RpzaContext *s)
+ colorA = AV_RB16 (&s->buf[stream_ptr]);
+ stream_ptr += 2;
+ while (n_blocks--) {
++ ADVANCE_BLOCK()
+ block_ptr = row_ptr + pixel_ptr;
+ for (pixel_y = 0; pixel_y < 4; pixel_y++) {
+ for (pixel_x = 0; pixel_x < 4; pixel_x++){
+@@ -147,7 +148,6 @@ static void rpza_decode_stream(RpzaContext *s)
+ }
+ block_ptr += row_inc;
+ }
+- ADVANCE_BLOCK();
+ }
+ break;
+
+@@ -184,6 +184,7 @@ static void rpza_decode_stream(RpzaContext *s)
+ color4[2] |= ((21 * ta + 11 * tb) >> 5);
+
+ while (n_blocks--) {
++ ADVANCE_BLOCK();
+ block_ptr = row_ptr + pixel_ptr;
+ for (pixel_y = 0; pixel_y < 4; pixel_y++) {
+ index = s->buf[stream_ptr++];
+@@ -194,12 +195,12 @@ static void rpza_decode_stream(RpzaContext *s)
+ }
+ block_ptr += row_inc;
+ }
+- ADVANCE_BLOCK();
+ }
+ break;
+
+ /* Fill block with 16 colors */
+ case 0x00:
++ ADVANCE_BLOCK();
+ block_ptr = row_ptr + pixel_ptr;
+ for (pixel_y = 0; pixel_y < 4; pixel_y++) {
+ for (pixel_x = 0; pixel_x < 4; pixel_x++){
+@@ -213,7 +214,6 @@ static void rpza_decode_stream(RpzaContext *s)
+ }
+ block_ptr += row_inc;
+ }
+- ADVANCE_BLOCK();
+ break;
+
+ /* Unknown opcode */
+--
+1.7.5.4
+
--- /dev/null
+gst-ffmpeg: error concealment: initialize block index.
+
+Fixes CVE-2011-3941 (out of bounds write)
+
+Upstream-Status: Backport
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/error_resilience.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c
+index 8bb5d0c..d55c000 100644
+--- a/gst-libs/ext/libav/libavcodec/error_resilience.c
++++ b/gst-libs/ext/libav/libavcodec/error_resilience.c
+@@ -45,6 +45,9 @@ static void decode_mb(MpegEncContext *s, int ref){
+ s->dest[1] = s->current_picture.data[1] + (s->mb_y * (16>>s->chroma_y_shift) * s->uvlinesize) + s->mb_x * (16>>s->chroma_x_shift);
+ s->dest[2] = s->current_picture.data[2] + (s->mb_y * (16>>s->chroma_y_shift) * s->uvlinesize) + s->mb_x * (16>>s->chroma_x_shift);
+
++ ff_init_block_index(s);
++ ff_update_block_index(s);
++
+ if(CONFIG_H264_DECODER && s->codec_id == CODEC_ID_H264){
+ H264Context *h= (void*)s;
+ h->mb_xy= s->mb_x + s->mb_y*s->mb_stride;
+--
+1.7.5.4
+
--- /dev/null
+gst-ffmpeg: error_concealment: Check that the picture is not in a half
+
+Fixes state becoming inconsistent
+Fixes a null pointer dereference
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit 23318a57358358e7a4dc551e830e4503f0638cfe)
+
+Upstream-Status: Backport
+
+Signed-off-by: Yue Tao <yue.tao@windriver.com>
+
+---
+ libavcodec/error_resilience.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c
+index 01f7424..2b6bc42 100644
+--- a/gst-libs/ext/libav/libavcodec/error_resilience.c
++++ b/gst-libs/ext/libav/libavcodec/error_resilience.c
+@@ -793,6 +793,12 @@ void ff_er_frame_end(MpegEncContext *s){
+ s->picture_structure != PICT_FRAME || // we dont support ER of field pictures yet, though it should not crash if enabled
+ s->error_count==3*s->mb_width*(s->avctx->skip_top + s->avctx->skip_bottom)) return;
+
++ if ( s->picture_structure == PICT_FRAME
++ && s->current_picture.linesize[0] != s->current_picture_ptr->linesize[0]) {
++ av_log(s->avctx, AV_LOG_ERROR, "Error concealment not possible, frame not fully initialized\n");
++ return;
++ }
++
+ if(s->current_picture.motion_val[0] == NULL){
+ av_log(s->avctx, AV_LOG_ERROR, "Warning MVs not available\n");
+
+--
+1.7.5.4
+
--- /dev/null
+gst-ffmpeg: ffserver: set oformat
+
+Fix Ticket1986
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+(cherry picked from commit cbe43e62c9ac7d4aefdc13476f6f691bd626525f)
+
+Upstream-Status: Backport
+
+---
+ ffserver.c | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+diff --git a/ffserver.c b/ffserver.c
+index 4044d0f..8740140 100644
+--- a/gst-libs/ext/libav/ffserver.c
++++ b/gst-libs/ext/libav/ffserver.c
+@@ -2937,12 +2937,14 @@ static int prepare_sdp_description(FFStream *stream, uint8_t **pbuffer,
+ {
+ AVFormatContext *avc;
+ AVStream *avs = NULL;
++ AVOutputFormat *rtp_format = av_guess_format("rtp", NULL, NULL);
+ int i;
+
+ avc = avformat_alloc_context();
+- if (avc == NULL) {
++ if (avc == NULL || !rtp_format) {
+ return -1;
+ }
++ avc->oformat = rtp_format;
+ av_dict_set(&avc->metadata, "title",
+ stream->title[0] ? stream->title : "No Title", 0);
+ avc->nb_streams = stream->nb_streams;
+--
+1.7.5.4
+
--- /dev/null
+gst-ffmpeg: h264_sei: Fix infinite loop.
+
+Fixsot yet fixed parts of CVE-2011-3946.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+
+Upstream-Status: Backport
+
+Signed-off-by: Yue Tao <yue.tao@windriver.com>
+
+---
+ libavcodec/h264_sei.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+
+diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c
+index 374e53d..80d70e5 100644
+--- a/gst-libs/ext/libav/libavcodec/h264_sei.c
++++ b/gst-libs/ext/libav/libavcodec/h264_sei.c
+@@ -169,11 +169,15 @@ int ff_h264_decode_sei(H264Context *h){
+
+ type=0;
+ do{
++ if (get_bits_left(&s->gb) < 8)
++ return -1;
+ type+= show_bits(&s->gb, 8);
+ }while(get_bits(&s->gb, 8) == 255);
+
+ size=0;
+ do{
++ if (get_bits_left(&s->gb) < 8)
++ return -1;
+ size+= show_bits(&s->gb, 8);
+ }while(get_bits(&s->gb, 8) == 255);
+
+--
+1.7.5.4
+
--- /dev/null
+gst-ffmpeg: huffyuvdec: check width more completely, avoid out of array
+ accesses
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+
+Upstream-Status: Backport
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/huffyuv.c | 5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c
+index 6e88114..ca5bcd8 100644
+--- a/gst-libs/ext/libav/libavcodec/huffyuv.c
++++ b/gst-libs/ext/libav/libavcodec/huffyuv.c
+@@ -526,6 +526,10 @@ s->bgr32=1;
+ assert(0);
+ }
+
++ if (s->predictor == MEDIAN && avctx->pix_fmt == AV_PIX_FMT_YUV422P && avctx->width%4) {
++ av_log(avctx, AV_LOG_ERROR, "width must be a multiple of 4 this colorspace and predictor\n");
++ return AVERROR_INVALIDDATA;
++ }
+ alloc_temp(s);
+
+ // av_log(NULL, AV_LOG_DEBUG, "pred:%d bpp:%d hbpp:%d il:%d\n", s->predictor, s->bitstream_bpp, avctx->bits_per_coded_sample, s->interlaced);
+--
+1.7.5.4
+
--- /dev/null
+gst-ffmpeg: lavf: compute probe buffer size more reliably.
+
+The previous code computes the offset by reversing the growth
+of the allocated buffer size: it is complex and did lead to
+inconsistencies when the size limit is reached.
+
+Fix trac ticket #1991.
+(cherry picked from commit 03847eb8259291b4ff1bd840bd779d0699d71f96)
+
+Conflicts:
+ libavformat/utils.c
+
+Upstream-Status: Backport
+
+Signed-off-by: Yue Tao <yue.tao@windriver.com>
+
+---
+ libavformat/utils.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libavformat/utils.c b/libavformat/utils.c
+index 7940037..be73c4a 100644
+--- a/gst-libs/ext/libav/libavformat/utils.c
++++ b/gst-libs/ext/libav/libavformat/utils.c
+@@ -459,7 +459,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt,
+ {
+ AVProbeData pd = { filename ? filename : "", NULL, -offset };
+ unsigned char *buf = NULL;
+- int ret = 0, probe_size;
++ int ret = 0, probe_size, buf_offset = 0;
+
+ if (!max_probe_size) {
+ max_probe_size = PROBE_BUF_MAX;
+@@ -499,7 +499,7 @@ int av_probe_input_buffer(AVIOContext *pb, AVInputFormat **fmt,
+ score = 0;
+ ret = 0; /* error was end of file, nothing read */
+ }
+- pd.buf_size += ret;
++ pd.buf_size = buf_offset += ret;
+ pd.buf = &buf[offset];
+
+ memset(pd.buf + pd.buf_size, 0, AVPROBE_PADDING_SIZE);
+--
+1.7.5.4
+
--- /dev/null
+gst-ffmpeg: pngdec/filter: dont access out of array elements at the end
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+
+Upstream-Status: Backport
+
+Signed-off-by: Yue Tao <yue.tao@windriver.com>
+---
+ libavcodec/pngdec.c | 12 ++++--------
+ 1 files changed, 4 insertions(+), 8 deletions(-)
+
+diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
+index 97c0ad1..193e35e 100644
+--- a/gst-libs/ext/libav/libavcodec/pngdec.c
++++ b/gst-libs/ext/libav/libavcodec/pngdec.c
+@@ -190,7 +190,7 @@ void ff_add_png_paeth_prediction(uint8_t *dst, uint8_t *src, uint8_t *top, int w
+ if(bpp >= 2) g = dst[1];\
+ if(bpp >= 3) b = dst[2];\
+ if(bpp >= 4) a = dst[3];\
+- for(; i < size; i+=bpp) {\
++ for(; i <= size - bpp; i+=bpp) {\
+ dst[i+0] = r = op(r, src[i+0], last[i+0]);\
+ if(bpp == 1) continue;\
+ dst[i+1] = g = op(g, src[i+1], last[i+1]);\
+@@ -206,13 +206,9 @@ void ff_add_png_paeth_prediction(uint8_t *dst, uint8_t *src, uint8_t *top, int w
+ else if(bpp == 2) UNROLL1(2, op)\
+ else if(bpp == 3) UNROLL1(3, op)\
+ else if(bpp == 4) UNROLL1(4, op)\
+- else {\
+- for (; i < size; i += bpp) {\
+- int j;\
+- for (j = 0; j < bpp; j++)\
+- dst[i+j] = op(dst[i+j-bpp], src[i+j], last[i+j]);\
+- }\
+- }
++ for (; i < size; i++) {\
++ dst[i] = op(dst[i-bpp], src[i], last[i]);\
++ }\
+
+ /* NOTE: 'dst' can be equal to 'last' */
+ static void png_filter_row(PNGDSPContext *dsp, uint8_t *dst, int filter_type,
+--
+1.7.5.4
+
--- /dev/null
+gst-ffmpeg: qdm2: check array index before use, fix out of array
+ accesses
+
+Upstream-Status: Backport
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/qdm2.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
+index 4cf4b2f..1dfb8d5 100644
+--- a/gst-libs/ext/libav/libavcodec/qdm2.c
++++ b/gst-libs/ext/libav/libavcodec/qdm2.c
+@@ -1257,6 +1257,11 @@ static void qdm2_decode_super_block (QDM2Context *q)
+ for (i = 0; packet_bytes > 0; i++) {
+ int j;
+
++ if (i>=FF_ARRAY_ELEMS(q->sub_packet_list_A)) {
++ SAMPLES_NEEDED_2("too many packet bytes");
++ return;
++ }
++
+ q->sub_packet_list_A[i].next = NULL;
+
+ if (i > 0) {
+--
+1.7.5.4
+
--- /dev/null
+gst-ffmpeg: qdm2dec: fix buffer overflow. Fixes NGS00144
+
+This also adds a few lines of code from master that are needed for this fix.
+
+Thanks to Phillip for suggestions to improve the patch.
+Found-by: Phillip Langlois
+
+Upstream-Status: Backport
+
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/qdm2.c | 9 +++++++--
+ 1 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
+index 3aa9e5b..e000df8 100644
+--- a/gst-libs/ext/libav/libavcodec/qdm2.c
++++ b/gst-libs/ext/libav/libavcodec/qdm2.c
+@@ -76,6 +76,7 @@ do { \
+ #define SAMPLES_NEEDED_2(why) \
+ av_log (NULL,AV_LOG_INFO,"This file triggers some missing code. Please contact the developers.\nPosition: %s\n",why);
+
++#define QDM2_MAX_FRAME_SIZE 512
+
+ typedef int8_t sb_int8_array[2][30][64];
+
+@@ -168,7 +169,7 @@ typedef struct {
+ /// I/O data
+ const uint8_t *compressed_data;
+ int compressed_size;
+- float output_buffer[1024];
++ float output_buffer[QDM2_MAX_FRAME_SIZE * MPA_MAX_CHANNELS * 2];
+
+ /// Synthesis filter
+ MPADSPContext mpadsp;
+@@ -1819,6 +1820,9 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx)
+ s->group_order = av_log2(s->group_size) + 1;
+ s->frame_size = s->group_size / 16; // 16 iterations per super block
+
++ if (s->frame_size > QDM2_MAX_FRAME_SIZE)
++ return AVERROR_INVALIDDATA;
++
+ s->sub_sampling = s->fft_order - 7;
+ s->frequency_range = 255 / (1 << (2 - s->sub_sampling));
+
+@@ -1887,6 +1891,9 @@ static int qdm2_decode (QDM2Context *q, const uint8_t *in, int16_t *out)
+ int ch, i;
+ const int frame_size = (q->frame_size * q->channels);
+
++ if((unsigned)frame_size > FF_ARRAY_ELEMS(q->output_buffer)/2)
++ return -1;
++
+ /* select input buffer */
+ q->compressed_data = in;
+ q->compressed_size = q->checksum_size;
+--
+1.7.5.4
+
--- /dev/null
+gst-ffmpeg: smackerdec: Check that the last indexes are within the
+ table.
+
+Fixes CVE-2011-3944
+
+Upstream-Status: Backport
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+---
+ libavcodec/smacker.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
+index 30f99b4..2a8bae8 100644
+--- a/gst-libs/ext/libav/libavcodec/smacker.c
++++ b/gst-libs/ext/libav/libavcodec/smacker.c
+@@ -259,6 +259,11 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int
+ if(ctx.last[0] == -1) ctx.last[0] = huff.current++;
+ if(ctx.last[1] == -1) ctx.last[1] = huff.current++;
+ if(ctx.last[2] == -1) ctx.last[2] = huff.current++;
++ if(huff.current > huff.length){
++ ctx.last[0] = ctx.last[1] = ctx.last[2] = 1;
++ av_log(smk->avctx, AV_LOG_ERROR, "bigtree damaged\n");
++ return -1;
++ }
+
+ *recodes = huff.values;
+
+--
+1.7.5.4
+
--- /dev/null
+gst-ffmpeg: vp3: Copy all 3 frames for thread updates.
+
+This fixes a double release of the current frame on deinit.
+Fixes CVE-2011-3934
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
+
+Upstream-Status: Backport
+
+Signed-off-by: Yue.Tao <yue.tao@windriver.com>
+
+---
+ libavcodec/vp3.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
+index 738ae9f..b5daafc 100644
+--- a/gst-libs/ext/libav/libavcodec/vp3.c
++++ b/gst-libs/ext/libav/libavcodec/vp3.c
+@@ -1859,7 +1859,7 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext *
+ ||s->width != s1->width
+ ||s->height!= s1->height) {
+ if (s != s1)
+- copy_fields(s, s1, golden_frame, current_frame);
++ copy_fields(s, s1, golden_frame, keyframe);
+ return -1;
+ }
+
+--
+1.7.5.4
+
--- /dev/null
+gst-ffmpeg: vp3: fix oob read for negative tokens and memleaks on error.
+
+Upstream-Status: Backport
+
+Signed-off-by: Yue.Tao <yue.tao@windriver.com>
+
+---
+ libavcodec/vp3.c | 59 +++++++++++++++++++++++++++++++++++++++++------------
+ 1 files changed, 45 insertions(+), 14 deletions(-)
+
+diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
+index 36715bb..ce14e63 100644
+--- a/gst-libs/ext/libav/libavcodec/vp3.c
++++ b/gst-libs/ext/libav/libavcodec/vp3.c
+@@ -45,6 +45,7 @@
+ #define FRAGMENT_PIXELS 8
+
+ static av_cold int vp3_decode_end(AVCodecContext *avctx);
++static void vp3_decode_flush(AVCodecContext *avctx);
+
+ //FIXME split things out into their own arrays
+ typedef struct Vp3Fragment {
+@@ -890,7 +891,7 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb,
+ /* decode a VLC into a token */
+ token = get_vlc2(gb, vlc_table, 11, 3);
+ /* use the token to get a zero run, a coefficient, and an eob run */
+- if (token <= 6) {
++ if ((unsigned) token <= 6U) {
+ eob_run = eob_run_base[token];
+ if (eob_run_get_bits[token])
+ eob_run += get_bits(gb, eob_run_get_bits[token]);
+@@ -908,7 +909,7 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb,
+ coeff_i += eob_run;
+ eob_run = 0;
+ }
+- } else {
++ } else if (token >= 0) {
+ bits_to_get = coeff_get_bits[token];
+ if (bits_to_get)
+ bits_to_get = get_bits(gb, bits_to_get);
+@@ -942,6 +943,10 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb,
+ for (i = coeff_index+1; i <= coeff_index+zero_run; i++)
+ s->num_coded_frags[plane][i]--;
+ coeff_i++;
++ } else {
++ av_log(s->avctx, AV_LOG_ERROR,
++ "Invalid token %d\n", token);
++ return -1;
+ }
+ }
+
+@@ -991,6 +996,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb)
+ /* unpack the Y plane DC coefficients */
+ residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_y_table], 0,
+ 0, residual_eob_run);
++ if (residual_eob_run < 0)
++ return residual_eob_run;
+
+ /* reverse prediction of the Y-plane DC coefficients */
+ reverse_dc_prediction(s, 0, s->fragment_width[0], s->fragment_height[0]);
+@@ -998,8 +1005,12 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb)
+ /* unpack the C plane DC coefficients */
+ residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0,
+ 1, residual_eob_run);
++ if (residual_eob_run < 0)
++ return residual_eob_run;
+ residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0,
+ 2, residual_eob_run);
++ if (residual_eob_run < 0)
++ return residual_eob_run;
+
+ /* reverse prediction of the C-plane DC coefficients */
+ if (!(s->avctx->flags & CODEC_FLAG_GRAY))
+@@ -1036,11 +1047,17 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb)
+ for (i = 1; i <= 63; i++) {
+ residual_eob_run = unpack_vlcs(s, gb, y_tables[i], i,
+ 0, residual_eob_run);
++ if (residual_eob_run < 0)
++ return residual_eob_run;
+
+ residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i,
+ 1, residual_eob_run);
++ if (residual_eob_run < 0)
++ return residual_eob_run;
+ residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i,
+ 2, residual_eob_run);
++ if (residual_eob_run < 0)
++ return residual_eob_run;
+ }
+
+ return 0;
+@@ -1777,10 +1794,15 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext *
+ Vp3DecodeContext *s = dst->priv_data, *s1 = src->priv_data;
+ int qps_changed = 0, i, err;
+
++#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field)
++
+ if (!s1->current_frame.data[0]
+ ||s->width != s1->width
+- ||s->height!= s1->height)
++ ||s->height!= s1->height) {
++ if (s != s1)
++ copy_fields(s, s1, golden_frame, current_frame);
+ return -1;
++ }
+
+ if (s != s1) {
+ // init tables if the first frame hasn't been decoded
+@@ -1796,8 +1818,6 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext *
+ memcpy(s->motion_val[1], s1->motion_val[1], c_fragment_count * sizeof(*s->motion_val[1]));
+ }
+
+-#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field)
+-
+ // copy previous frame data
+ copy_fields(s, s1, golden_frame, dsp);
+
+@@ -1987,9 +2007,6 @@ static av_cold int vp3_decode_end(AVCodecContext *avctx)
+ Vp3DecodeContext *s = avctx->priv_data;
+ int i;
+
+- if (avctx->is_copy && !s->current_frame.data[0])
+- return 0;
+-
+ av_free(s->superblock_coding);
+ av_free(s->all_fragments);
+ av_free(s->coded_fragment_list[0]);
+@@ -2016,12 +2033,7 @@ static av_cold int vp3_decode_end(AVCodecContext *avctx)
+ free_vlc(&s->motion_vector_vlc);
+
+ /* release all frames */
+- if (s->golden_frame.data[0])
+- ff_thread_release_buffer(avctx, &s->golden_frame);
+- if (s->last_frame.data[0] && s->last_frame.type != FF_BUFFER_TYPE_COPY)
+- ff_thread_release_buffer(avctx, &s->last_frame);
+- /* no need to release the current_frame since it will always be pointing
+- * to the same frame as either the golden or last frame */
++ vp3_decode_flush(avctx);
+
+ return 0;
+ }
+@@ -2341,6 +2353,23 @@ static void vp3_decode_flush(AVCodecContext *avctx)
+ ff_thread_release_buffer(avctx, &s->current_frame);
+ }
+
++static int vp3_init_thread_copy(AVCodecContext *avctx)
++{
++ Vp3DecodeContext *s = avctx->priv_data;
++
++ s->superblock_coding = NULL;
++ s->all_fragments = NULL;
++ s->coded_fragment_list[0] = NULL;
++ s->dct_tokens_base = NULL;
++ s->superblock_fragments = NULL;
++ s->macroblock_coding = NULL;
++ s->motion_val[0] = NULL;
++ s->motion_val[1] = NULL;
++ s->edge_emu_buffer = NULL;
++
++ return 0;
++}
++
+ AVCodec ff_theora_decoder = {
+ .name = "theora",
+ .type = AVMEDIA_TYPE_VIDEO,
+@@ -2352,6 +2381,7 @@ AVCodec ff_theora_decoder = {
+ .capabilities = CODEC_CAP_DR1 | CODEC_CAP_DRAW_HORIZ_BAND | CODEC_CAP_FRAME_THREADS,
+ .flush = vp3_decode_flush,
+ .long_name = NULL_IF_CONFIG_SMALL("Theora"),
++ .init_thread_copy = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy),
+ .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context)
+ };
+ #endif
+@@ -2367,5 +2397,6 @@ AVCodec ff_vp3_decoder = {
+ .capabilities = CODEC_CAP_DR1 | CODEC_CAP_DRAW_HORIZ_BAND | CODEC_CAP_FRAME_THREADS,
+ .flush = vp3_decode_flush,
+ .long_name = NULL_IF_CONFIG_SMALL("On2 VP3"),
++ .init_thread_copy = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy),
+ .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context)
+ };
+--
+1.7.5.4
+
--- /dev/null
+gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0855
+
+Upstream-Status: Backport
+
+Signed-off-by: Yue Tao <yue.tao@windriver.com>
+
+diff --git a/gst-libs/ext/libav/libavcodec/alac.c.old b/gst-libs/ext/libav/libavcodec/alac.c
+index 2a0df8c..bcbd56d 100644
+--- a/gst-libs/ext/libav/libavcodec/alac.c.old
++++ b/gst-libs/ext/libav/libavcodec/alac.c
+@@ -87,18 +87,44 @@ typedef struct {
+ int wasted_bits;
+ } ALACContext;
+
+-static void allocate_buffers(ALACContext *alac)
++static av_cold int alac_decode_close(AVCodecContext *avctx)
++{
++ ALACContext *alac = avctx->priv_data;
++
++ int chan;
++ for (chan = 0; chan < MAX_CHANNELS; chan++) {
++ av_freep(&alac->predicterror_buffer[chan]);
++ av_freep(&alac->outputsamples_buffer[chan]);
++ av_freep(&alac->wasted_bits_buffer[chan]);
++ }
++
++ return 0;
++}
++
++static int allocate_buffers(ALACContext *alac)
+ {
+ int chan;
++ int buf_size;
++
++ if (alac->setinfo_max_samples_per_frame > INT_MAX / sizeof(int32_t))
++ goto buf_alloc_fail;
++ buf_size = alac->setinfo_max_samples_per_frame * sizeof(int32_t);
++
+ for (chan = 0; chan < MAX_CHANNELS; chan++) {
+- alac->predicterror_buffer[chan] =
+- av_malloc(alac->setinfo_max_samples_per_frame * 4);
+
+- alac->outputsamples_buffer[chan] =
+- av_malloc(alac->setinfo_max_samples_per_frame * 4);
++ FF_ALLOC_OR_GOTO(alac->avctx, alac->predicterror_buffer[chan],
++ buf_size, buf_alloc_fail);
+
+- alac->wasted_bits_buffer[chan] = av_malloc(alac->setinfo_max_samples_per_frame * 4);
++ FF_ALLOC_OR_GOTO(alac->avctx, alac->outputsamples_buffer[chan],
++ buf_size, buf_alloc_fail);
++
++ FF_ALLOC_OR_GOTO(alac->avctx, alac->wasted_bits_buffer[chan],
++ buf_size, buf_alloc_fail);
+ }
++ return 0;
++buf_alloc_fail:
++ alac_decode_close(alac->avctx);
++ return AVERROR(ENOMEM);
+ }
+
+ static int alac_set_info(ALACContext *alac)
+@@ -131,8 +157,6 @@ static int alac_set_info(ALACContext *alac)
+ bytestream_get_be32(&ptr); /* bitrate ? */
+ bytestream_get_be32(&ptr); /* samplerate */
+
+- allocate_buffers(alac);
+-
+ return 0;
+ }
+
+@@ -659,6 +683,7 @@ static int alac_decode_frame(AVCodecContext *avctx,
+
+ static av_cold int alac_decode_init(AVCodecContext * avctx)
+ {
++ int ret;
+ ALACContext *alac = avctx->priv_data;
+ alac->avctx = avctx;
+ alac->numchannels = alac->avctx->channels;
+@@ -674,18 +699,9 @@ static av_cold int alac_decode_init(AVCodecContext * avctx)
+ return -1;
+ }
+
+- return 0;
+-}
+-
+-static av_cold int alac_decode_close(AVCodecContext *avctx)
+-{
+- ALACContext *alac = avctx->priv_data;
+-
+- int chan;
+- for (chan = 0; chan < MAX_CHANNELS; chan++) {
+- av_freep(&alac->predicterror_buffer[chan]);
+- av_freep(&alac->outputsamples_buffer[chan]);
+- av_freep(&alac->wasted_bits_buffer[chan]);
++ if ((ret = allocate_buffers(alac)) < 0) {
++ av_log(avctx, AV_LOG_ERROR, "Error allocating buffers\n");
++ return ret;
+ }
+
+ return 0;
file://0001-alac-fix-nb_samples-order-case.patch \
file://0001-h264-correct-ref-count-check-and-limit-fix-out-of-ar.patch \
file://0001-roqvideodec-check-dimensions-validity.patch \
+ file://0001-aacdec-check-channel-count.patch \
+ file://0001-pngdec-filter-dont-access-out-of-array-elements-at-t.patch \
+ file://0001-error_concealment-Check-that-the-picture-is-not-in-a.patch \
+ file://0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch \
+ file://0001-vp3-Copy-all-3-frames-for-thread-updates.patch \
+ file://0001-h264_sei-Fix-infinite-loop.patch \
+ file://0001-avcodec-parser-reset-indexes-on-realloc-failure.patch \
+ file://0001-avcodec-rpza-Perform-pointer-advance-and-checks-befo.patch \
+ file://gst-ffmpeg-CVE-2013-0855.patch \
+ file://0001-qdm2dec-fix-buffer-overflow.patch \
+ file://0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch \
+ file://0001-smackerdec-Check-that-the-last-indexes-are-within-th.patch \
+ file://0001-avcodec-dsputil-fix-signedness-in-sizeof-comparissio.patch \
+ file://0001-error-concealment-initialize-block-index.patch \
+ file://0001-qdm2-check-array-index-before-use-fix-out-of-array-a.patch \
+ file://0001-lavf-compute-probe-buffer-size-more-reliably.patch \
+ file://0001-ffserver-set-oformat.patch \
"
SRC_URI[md5sum] = "7f5beacaf1312db2db30a026b36888c4"
