Merge remote-tracking branch 'qatar/master'

* qatar/master:
  bfi: Use bytestream2 functions to prevent buffer overreads.
  dpcm: Fix invalid writes
  utvideo: frame multithreading.
  vorbis: An additional defense in the Vorbis codec.
  vorbisdec: Fix decoding bug with channel handling

Conflicts:
	libavcodec/dpcm.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>

libavcodec/bfi.c

@@ -49,7 +49,7 @@ static av_cold int bfi_decode_init(AVCodecContext *avctx)
 static int bfi_decode_frame(AVCodecContext *avctx, void *data,
                             int *data_size, AVPacket *avpkt)
 {
-    const uint8_t *buf = avpkt->data, *buf_end = avpkt->data + avpkt->size;
+    GetByteContext g;
     int buf_size = avpkt->size;
     BFIContext *bfi = avctx->priv_data;
     uint8_t *dst = bfi->dst;
@@ -68,6 +68,8 @@ static int bfi_decode_frame(AVCodecContext *avctx, void *data,
         return -1;
     }
 
+    bytestream2_init(&g, avpkt->data, buf_size);
+
     /* Set frame parameters and palette, if necessary */
     if (!avctx->frame_number) {
         bfi->frame.pict_type = AV_PICTURE_TYPE_I;
@@ -96,15 +98,15 @@ static int bfi_decode_frame(AVCodecContext *avctx, void *data,
         memcpy(bfi->frame.data[1], bfi->pal, sizeof(bfi->pal));
     }
 
-    buf += 4; // Unpacked size, not required.
+    bytestream2_skip(&g, 4); // Unpacked size, not required.
 
     while (dst != frame_end) {
         static const uint8_t lentab[4] = { 0, 2, 0, 1 };
-        unsigned int byte   = *buf++, av_uninit(offset);
+        unsigned int byte   = bytestream2_get_byte(&g), av_uninit(offset);
         unsigned int code   = byte >> 6;
         unsigned int length = byte & ~0xC0;
 
-        if (buf >= buf_end) {
+        if (!bytestream2_get_bytes_left(&g)) {
             av_log(avctx, AV_LOG_ERROR,
                    "Input resolution larger than actual frame.\n");
             return -1;
@@ -113,16 +115,16 @@ static int bfi_decode_frame(AVCodecContext *avctx, void *data,
         /* Get length and offset(if required) */
         if (length == 0) {
             if (code == 1) {
-                length = bytestream_get_byte(&buf);
-                offset = bytestream_get_le16(&buf);
+                length = bytestream2_get_byte(&g);
+                offset = bytestream2_get_le16(&g);
             } else {
-                length = bytestream_get_le16(&buf);
+                length = bytestream2_get_le16(&g);
                 if (code == 2 && length == 0)
                     break;
             }
         } else {
             if (code == 1)
-                offset = bytestream_get_byte(&buf);
+                offset = bytestream2_get_byte(&g);
         }
 
         /* Do boundary check */
@@ -132,11 +134,11 @@ static int bfi_decode_frame(AVCodecContext *avctx, void *data,
         switch (code) {
 
         case 0:                //Normal Chain
-            if (length >= buf_end - buf) {
+            if (length >= bytestream2_get_bytes_left(&g)) {
                 av_log(avctx, AV_LOG_ERROR, "Frame larger than buffer.\n");
                 return -1;
             }
-            bytestream_get_buffer(&buf, dst, length);
+            bytestream2_get_buffer(&g, dst, length);
             dst += length;
             break;
 
@@ -154,8 +156,8 @@ static int bfi_decode_frame(AVCodecContext *avctx, void *data,
             break;
 
         case 3:                //Fill Chain
-            colour1 = bytestream_get_byte(&buf);
-            colour2 = bytestream_get_byte(&buf);
+            colour1 = bytestream2_get_byte(&g);
+            colour2 = bytestream2_get_byte(&g);
             while (length--) {
                 *dst++ = colour1;
                 *dst++ = colour2;

libavcodec/dpcm.c

@@ -288,7 +288,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data,
     }
     case CODEC_ID_SOL_DPCM:
         if (avctx->codec_tag != 3) {
-            uint8_t *output_samples_u8 = output_samples;
+            uint8_t *output_samples_u8 = s->frame.data[0];
             while (buf < buf_end) {
                 uint8_t n = *buf++;
 

libavcodec/utvideo.c

@@ -31,6 +31,7 @@
 #include "bytestream.h"
 #include "get_bits.h"
 #include "dsputil.h"
+#include "thread.h"
 
 enum {
     PRED_NONE = 0,
@@ -366,15 +367,17 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
     int ret;
 
     if (c->pic.data[0])
-        avctx->release_buffer(avctx, &c->pic);
+        ff_thread_release_buffer(avctx, &c->pic);
 
     c->pic.reference = 3;
     c->pic.buffer_hints = FF_BUFFER_HINTS_VALID;
-    if ((ret = avctx->get_buffer(avctx, &c->pic)) < 0) {
+    if ((ret = ff_thread_get_buffer(avctx, &c->pic)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }
 
+    ff_thread_finish_setup(avctx);
+
     /* parse plane structure to retrieve frame flags and validate slice offsets */
     ptr = buf;
     for (i = 0; i < c->planes; i++) {
@@ -557,7 +560,7 @@ static av_cold int decode_end(AVCodecContext *avctx)
     UtvideoContext * const c = avctx->priv_data;
 
     if (c->pic.data[0])
-        avctx->release_buffer(avctx, &c->pic);
+        ff_thread_release_buffer(avctx, &c->pic);
 
     av_freep(&c->slice_bits);
 
@@ -572,7 +575,7 @@ AVCodec ff_utvideo_decoder = {
     .init           = decode_init,
     .close          = decode_end,
     .decode         = decode_frame,
-    .capabilities   = CODEC_CAP_DR1,
+    .capabilities   = CODEC_CAP_DR1 | CODEC_CAP_FRAME_THREADS,
     .long_name      = NULL_IF_CONFIG_SMALL("Ut Video"),
 };