From 2884cf205a9a29d89db7a444c5b1613cdfe37acf Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Date: Wed, 16 Dec 2015 16:48:19 +0100
Subject: [PATCH 1/5] on2avc: limit number of bits to 30 in get_egolomb

More don't fit into the integer output.

Also use get_bits_long, since get_bits only supports reading up to 25
bits, while get_bits_long supports the full integer range.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/on2avc.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/libavcodec/on2avc.c b/libavcodec/on2avc.c
index 3f531bc83b..3918365a01 100644
--- a/libavcodec/on2avc.c
+++ b/libavcodec/on2avc.c
@@ -211,9 +211,16 @@ static inline int get_egolomb(GetBitContext *gb)
 {
     int v = 4;
 
-    while (get_bits1(gb)) v++;
+    while (get_bits1(gb)) {
+        v++;
+        if (v > 30) {
+            av_log(NULL, AV_LOG_WARNING, "Too large golomb code in get_egolomb.\n");
+            v = 30;
+            break;
+        }
+    }
 
-    return (1 << v) + get_bits(gb, v);
+    return (1 << v) + get_bits_long(gb, v);
 }
 
 static int on2avc_decode_pairs(On2AVCContext *c, GetBitContext *gb, float *dst,

From 5b83b24ccbec79359f2dcdc0f49e09010a05e58a Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Date: Wed, 16 Dec 2015 20:52:39 +0100
Subject: [PATCH 2/5] nuv: sanitize negative fps rate

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavformat/nuv.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/libavformat/nuv.c b/libavformat/nuv.c
index aeb2fae466..f553dd1e25 100644
--- a/libavformat/nuv.c
+++ b/libavformat/nuv.c
@@ -175,6 +175,15 @@ static int nuv_header(AVFormatContext *s)
     if (aspect > 0.9999 && aspect < 1.0001)
         aspect = 4.0 / 3.0;
     fps = av_int2double(avio_rl64(pb));
+    if (fps < 0.0f) {
+        if (s->error_recognition & AV_EF_EXPLODE) {
+            av_log(s, AV_LOG_ERROR, "Invalid frame rate %f\n", fps);
+            return AVERROR_INVALIDDATA;
+        } else {
+            av_log(s, AV_LOG_WARNING, "Invalid frame rate %f, setting to 0.\n", fps);
+            fps = 0.0f;
+        }
+    }
 
     // number of packets per stream type, -1 means unknown, e.g. streaming
     v_packs = avio_rl32(pb);

From 8431629dd112874293380a6d8a852459fc1a76b6 Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Date: Fri, 18 Dec 2015 19:28:51 +0100
Subject: [PATCH 3/5] xwddec: prevent overflow of lsize * avctx->height

This is used to check if the input buffer is larger enough, so if this
overflows it can cause a false negative leading to a segmentation fault
in bytestream2_get_bufferu.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/xwddec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/xwddec.c b/libavcodec/xwddec.c
index f6d3d97de5..1c9874aa32 100644
--- a/libavcodec/xwddec.c
+++ b/libavcodec/xwddec.c
@@ -141,7 +141,7 @@ static int xwd_decode_frame(AVCodecContext *avctx, void *data,
         return AVERROR_INVALIDDATA;
     }
 
-    if (bytestream2_get_bytes_left(&gb) < ncolors * XWD_CMAP_SIZE + avctx->height * lsize) {
+    if (bytestream2_get_bytes_left(&gb) < ncolors * XWD_CMAP_SIZE + (uint64_t)avctx->height * lsize) {
         av_log(avctx, AV_LOG_ERROR, "input buffer too small\n");
         return AVERROR_INVALIDDATA;
     }

From 9cdddb93bb33c58a5d42239326bc5eae0067366a Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Date: Fri, 18 Dec 2015 17:24:09 +0100
Subject: [PATCH 4/5] nutdec: only copy the header if it exists

Fixes runtime error: null pointer passed as argument 2, which is
declared to never be null

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavformat/nutdec.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
index 17ae522533..e39f7d3e54 100644
--- a/libavformat/nutdec.c
+++ b/libavformat/nutdec.c
@@ -890,7 +890,8 @@ static int decode_frame(NUTContext *nut, AVPacket *pkt, int frame_code)
     ret = av_new_packet(pkt, size + nut->header_len[header_idx]);
     if (ret < 0)
         return ret;
-    memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]);
+    if (nut->header[header_idx])
+        memcpy(pkt->data, nut->header[header_idx], nut->header_len[header_idx]);
     pkt->pos = avio_tell(bc); // FIXME
     avio_read(bc, pkt->data + nut->header_len[header_idx], size);
 

From b06cb15b9d7928bf54b639c9f9f7658c2c38bfb9 Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Date: Wed, 13 Jan 2016 00:56:39 +0100
Subject: [PATCH 5/5] dca: fix misaligned access in ff_dca_convert_bitstream

The function is used on unaligned buffers (such as those provided
by AVPacket), accessing them as uint16_t causes SIGBUS crashes on
architectures like SPARC.

This fixes ubsan runtime error: load of misaligned address for type
'const uint16_t', which requires 2 byte alignment

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
---
 libavcodec/dca.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/libavcodec/dca.c b/libavcodec/dca.c
index ebe9fdb47c..c5daf077a9 100644
--- a/libavcodec/dca.c
+++ b/libavcodec/dca.c
@@ -37,8 +37,6 @@ int ff_dca_convert_bitstream(const uint8_t *src, int src_size, uint8_t *dst,
 {
     uint32_t mrk;
     int i, tmp;
-    const uint16_t *ssrc = (const uint16_t *) src;
-    uint16_t *sdst = (uint16_t *) dst;
     PutBitContext pb;
 
     if ((unsigned) src_size > (unsigned) max_size)
@@ -50,8 +48,11 @@ int ff_dca_convert_bitstream(const uint8_t *src, int src_size, uint8_t *dst,
         memcpy(dst, src, src_size);
         return src_size;
     case DCA_SYNCWORD_CORE_LE:
-        for (i = 0; i < (src_size + 1) >> 1; i++)
-            *sdst++ = av_bswap16(*ssrc++);
+        for (i = 0; i < (src_size + 1) >> 1; i++) {
+            AV_WB16(dst, AV_RL16(src));
+            src += 2;
+            dst += 2;
+        }
         return src_size;
     case DCA_SYNCWORD_CORE_14B_BE:
     case DCA_SYNCWORD_CORE_14B_LE: