[SCM] libav/master: Import post 0.8 patches
siretart at users.alioth.debian.org
siretart at users.alioth.debian.org
Mon Mar 5 14:46:39 UTC 2012
The following commit has been merged in the master branch:
commit 8c82f30d4cb7dfb564fc13b46432acde821d1af8
Author: Reinhard Tartler <siretart at tauware.de>
Date: Mon Mar 5 15:46:06 2012 +0100
Import post 0.8 patches
All these patches are scheduled for inclusion in the upcoming 0.8.1 point release.
diff --git a/debian/patches/post-0.8/0001-lavc-add-avcodec_is_open.patch b/debian/patches/post-0.8/0001-lavc-add-avcodec_is_open.patch
new file mode 100644
index 0000000..284268c
--- /dev/null
+++ b/debian/patches/post-0.8/0001-lavc-add-avcodec_is_open.patch
@@ -0,0 +1,128 @@
+From 350d06d63fc758d047c050e0835f540277799f60 Mon Sep 17 00:00:00 2001
+From: Anton Khirnov <anton at khirnov.net>
+Date: Thu, 8 Dec 2011 06:57:44 +0100
+Subject: [PATCH 01/80] lavc: add avcodec_is_open().
+
+It allows to check whether an AVCodecContext is open in a documented
+way. Right now the undocumented way this check is done in lavf/lavc is
+by checking whether AVCodecContext.codec is NULL. However it's desirable
+to be able to set AVCodecContext.codec before avcodec_open2().
+
+(cherry picked from commit af08d9aeea870de017139f7b1c44b7d816cf8e56)
+
+Conflicts:
+
+ doc/APIchanges
+---
+ doc/APIchanges | 3 +++
+ libavcodec/avcodec.h | 6 ++++++
+ libavcodec/options.c | 2 +-
+ libavcodec/utils.c | 8 ++++++++
+ libavcodec/version.h | 2 +-
+ libavformat/utils.c | 5 ++---
+ 6 files changed, 21 insertions(+), 5 deletions(-)
+
+diff --git a/doc/APIchanges b/doc/APIchanges
+index 904e346..1e326ca 100644
+--- a/doc/APIchanges
++++ b/doc/APIchanges
+@@ -13,6 +13,9 @@ libavutil: 2011-04-18
+
+ API changes, most recent first:
+
++2012-02-17 - xxxxxxx - lavc 53.35.0
++ Add avcodec_is_open() function.
++
+ 2012-01-15 - lavc 53.34.0
+ New audio encoding API:
+ b2c75b6 Add CODEC_CAP_VARIABLE_FRAME_SIZE capability for use by audio
+diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h
+index be1b202..6db34fa 100644
+--- a/libavcodec/avcodec.h
++++ b/libavcodec/avcodec.h
+@@ -4737,4 +4737,10 @@ enum AVMediaType avcodec_get_type(enum CodecID codec_id);
+ */
+ const AVClass *avcodec_get_class(void);
+
++/**
++ * @return a positive value if s is open (i.e. avcodec_open2() was called on it
++ * with no corresponding avcodec_close()), 0 otherwise.
++ */
++int avcodec_is_open(AVCodecContext *s);
++
+ #endif /* AVCODEC_AVCODEC_H */
+diff --git a/libavcodec/options.c b/libavcodec/options.c
+index 2689d32..7481f1a 100644
+--- a/libavcodec/options.c
++++ b/libavcodec/options.c
+@@ -634,7 +634,7 @@ AVCodecContext *avcodec_alloc_context(void){
+
+ int avcodec_copy_context(AVCodecContext *dest, const AVCodecContext *src)
+ {
+- if (dest->codec) { // check that the dest context is uninitialized
++ if (avcodec_is_open(dest)) { // check that the dest context is uninitialized
+ av_log(dest, AV_LOG_ERROR,
+ "Tried to copy AVCodecContext %p into already-initialized %p\n",
+ src, dest);
+diff --git a/libavcodec/utils.c b/libavcodec/utils.c
+index ff3f065..b097c9b 100644
+--- a/libavcodec/utils.c
++++ b/libavcodec/utils.c
+@@ -637,6 +637,9 @@ int attribute_align_arg avcodec_open2(AVCodecContext *avctx, AVCodec *codec, AVD
+ int ret = 0;
+ AVDictionary *tmp = NULL;
+
++ if (avcodec_is_open(avctx))
++ return 0;
++
+ if (avctx->extradata_size < 0 || avctx->extradata_size >= FF_MAX_EXTRADATA_SIZE)
+ return AVERROR(EINVAL);
+
+@@ -1836,3 +1839,8 @@ enum AVMediaType avcodec_get_type(enum CodecID codec_id)
+
+ return AVMEDIA_TYPE_UNKNOWN;
+ }
++
++int avcodec_is_open(AVCodecContext *s)
++{
++ return !!s->internal;
++}
+diff --git a/libavcodec/version.h b/libavcodec/version.h
+index c7b4c15..77e1682 100644
+--- a/libavcodec/version.h
++++ b/libavcodec/version.h
+@@ -21,7 +21,7 @@
+ #define AVCODEC_VERSION_H
+
+ #define LIBAVCODEC_VERSION_MAJOR 53
+-#define LIBAVCODEC_VERSION_MINOR 34
++#define LIBAVCODEC_VERSION_MINOR 35
+ #define LIBAVCODEC_VERSION_MICRO 0
+
+ #define LIBAVCODEC_VERSION_INT AV_VERSION_INT(LIBAVCODEC_VERSION_MAJOR, \
+diff --git a/libavformat/utils.c b/libavformat/utils.c
+index 22ee13b..3733a50 100644
+--- a/libavformat/utils.c
++++ b/libavformat/utils.c
+@@ -2137,7 +2137,7 @@ static int try_decode_frame(AVStream *st, AVPacket *avpkt, AVDictionary **option
+ AVFrame picture;
+ AVPacket pkt = *avpkt;
+
+- if(!st->codec->codec){
++ if (!avcodec_is_open(st->codec)) {
+ AVDictionary *thread_opt = NULL;
+
+ codec = avcodec_find_decoder(st->codec->codec_id);
+@@ -2487,8 +2487,7 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options)
+ // close codecs which were opened in try_decode_frame()
+ for(i=0;i<ic->nb_streams;i++) {
+ st = ic->streams[i];
+- if(st->codec->codec)
+- avcodec_close(st->codec);
++ avcodec_close(st->codec);
+ }
+ for(i=0;i<ic->nb_streams;i++) {
+ st = ic->streams[i];
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0002-lavc-make-avcodec_close-work-properly-on-unopened-co.patch b/debian/patches/post-0.8/0002-lavc-make-avcodec_close-work-properly-on-unopened-co.patch
new file mode 100644
index 0000000..0d8a646
--- /dev/null
+++ b/debian/patches/post-0.8/0002-lavc-make-avcodec_close-work-properly-on-unopened-co.patch
@@ -0,0 +1,78 @@
+From bafd38a352126385ec0dcea51017229373b1c2f3 Mon Sep 17 00:00:00 2001
+From: Anton Khirnov <anton at khirnov.net>
+Date: Sun, 29 Jan 2012 12:17:30 +0100
+Subject: [PATCH 02/80] lavc: make avcodec_close() work properly on unopened
+ codecs.
+
+I.e. free the priv_data and other stuff allocated in
+avcodec_alloc_context3() and not segfault.
+
+(cherry picked from commit 0e72ad95f9fef6a6b8ae55e47339a5c40526502f)
+---
+ libavcodec/avcodec.h | 12 +++++++++++-
+ libavcodec/utils.c | 19 +++++++++++--------
+ 2 files changed, 22 insertions(+), 9 deletions(-)
+
+diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h
+index 6db34fa..95e14d7 100644
+--- a/libavcodec/avcodec.h
++++ b/libavcodec/avcodec.h
+@@ -3912,7 +3912,8 @@ AVCodecContext *avcodec_alloc_context2(enum AVMediaType);
+
+ /**
+ * Allocate an AVCodecContext and set its fields to default values. The
+- * resulting struct can be deallocated by simply calling av_free().
++ * resulting struct can be deallocated by calling avcodec_close() on it followed
++ * by av_free().
+ *
+ * @param codec if non-NULL, allocate private data and initialize defaults
+ * for the given codec. It is illegal to then call avcodec_open2()
+@@ -4343,6 +4344,15 @@ int avcodec_encode_video(AVCodecContext *avctx, uint8_t *buf, int buf_size,
+ int avcodec_encode_subtitle(AVCodecContext *avctx, uint8_t *buf, int buf_size,
+ const AVSubtitle *sub);
+
++/**
++ * Close a given AVCodecContext and free all the data associated with it
++ * (but not the AVCodecContext itself).
++ *
++ * Calling this function on an AVCodecContext that hasn't been opened will free
++ * the codec-specific data allocated in avcodec_alloc_context3() /
++ * avcodec_get_context_defaults3() with a non-NULL codec. Subsequent calls will
++ * do nothing.
++ */
+ int avcodec_close(AVCodecContext *avctx);
+
+ /**
+diff --git a/libavcodec/utils.c b/libavcodec/utils.c
+index b097c9b..b2bd702 100644
+--- a/libavcodec/utils.c
++++ b/libavcodec/utils.c
+@@ -1281,14 +1281,17 @@ av_cold int avcodec_close(AVCodecContext *avctx)
+ return -1;
+ }
+
+- if (HAVE_THREADS && avctx->thread_opaque)
+- ff_thread_free(avctx);
+- if (avctx->codec && avctx->codec->close)
+- avctx->codec->close(avctx);
+- avcodec_default_free_buffers(avctx);
+- avctx->coded_frame = NULL;
+- av_freep(&avctx->internal);
+- if (avctx->codec && avctx->codec->priv_class)
++ if (avcodec_is_open(avctx)) {
++ if (HAVE_THREADS && avctx->thread_opaque)
++ ff_thread_free(avctx);
++ if (avctx->codec && avctx->codec->close)
++ avctx->codec->close(avctx);
++ avcodec_default_free_buffers(avctx);
++ avctx->coded_frame = NULL;
++ av_freep(&avctx->internal);
++ }
++
++ if (avctx->priv_data && avctx->codec && avctx->codec->priv_class)
+ av_opt_free(avctx->priv_data);
+ av_opt_free(avctx);
+ av_freep(&avctx->priv_data);
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0003-lavc-set-AVCodecContext.codec-in-avcodec_get_context.patch b/debian/patches/post-0.8/0003-lavc-set-AVCodecContext.codec-in-avcodec_get_context.patch
new file mode 100644
index 0000000..c9ab486
--- /dev/null
+++ b/debian/patches/post-0.8/0003-lavc-set-AVCodecContext.codec-in-avcodec_get_context.patch
@@ -0,0 +1,114 @@
+From 571a4cf273a84b6f7f38697b462e667d4f0fddc4 Mon Sep 17 00:00:00 2001
+From: Anton Khirnov <anton at khirnov.net>
+Date: Sat, 28 Jan 2012 19:15:15 +0100
+Subject: [PATCH 03/80] lavc: set AVCodecContext.codec in
+ avcodec_get_context_defaults3().
+
+This way, if the AVCodecContext is allocated for a specific codec, the
+caller doesn't need to store this codec separately and then pass it
+again to avcodec_open2().
+
+It also allows to set codec private options using av_opt_set_* before
+opening the codec.
+(cherry picked from commit bc901998487bf9b77a423961d9f961bcc28a9291)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/avcodec.h | 5 +++++
+ libavcodec/options.c | 1 +
+ libavcodec/utils.c | 17 ++++++++++++-----
+ libavformat/utils.c | 8 +++++---
+ 4 files changed, 23 insertions(+), 8 deletions(-)
+
+diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h
+index 95e14d7..2451294 100644
+--- a/libavcodec/avcodec.h
++++ b/libavcodec/avcodec.h
+@@ -4059,6 +4059,11 @@ int avcodec_open(AVCodecContext *avctx, AVCodec *codec);
+ * @endcode
+ *
+ * @param avctx The context to initialize.
++ * @param codec The codec to open this context for. If a non-NULL codec has been
++ * previously passed to avcodec_alloc_context3() or
++ * avcodec_get_context_defaults3() for this context, then this
++ * parameter MUST be either NULL or equal to the previously passed
++ * codec.
+ * @param options A dictionary filled with AVCodecContext and codec-private options.
+ * On return this object will be filled with options that were not found.
+ *
+diff --git a/libavcodec/options.c b/libavcodec/options.c
+index 7481f1a..26f3ab3 100644
+--- a/libavcodec/options.c
++++ b/libavcodec/options.c
+@@ -561,6 +561,7 @@ int avcodec_get_context_defaults3(AVCodecContext *s, AVCodec *codec){
+ s->av_class = &av_codec_context_class;
+
+ s->codec_type = codec ? codec->type : AVMEDIA_TYPE_UNKNOWN;
++ s->codec = codec;
+ av_opt_set_defaults(s);
+
+ s->time_base = (AVRational){0,1};
+diff --git a/libavcodec/utils.c b/libavcodec/utils.c
+index b2bd702..5109bf8 100644
+--- a/libavcodec/utils.c
++++ b/libavcodec/utils.c
+@@ -640,6 +640,18 @@ int attribute_align_arg avcodec_open2(AVCodecContext *avctx, AVCodec *codec, AVD
+ if (avcodec_is_open(avctx))
+ return 0;
+
++ if ((!codec && !avctx->codec)) {
++ av_log(avctx, AV_LOG_ERROR, "No codec provided to avcodec_open2().\n");
++ return AVERROR(EINVAL);
++ }
++ if ((codec && avctx->codec && codec != avctx->codec)) {
++ av_log(avctx, AV_LOG_ERROR, "This AVCodecContext was allocated for %s, "
++ "but %s passed to avcodec_open2().\n", avctx->codec->name, codec->name);
++ return AVERROR(EINVAL);
++ }
++ if (!codec)
++ codec = avctx->codec;
++
+ if (avctx->extradata_size < 0 || avctx->extradata_size >= FF_MAX_EXTRADATA_SIZE)
+ return AVERROR(EINVAL);
+
+@@ -659,11 +671,6 @@ int attribute_align_arg avcodec_open2(AVCodecContext *avctx, AVCodec *codec, AVD
+ goto end;
+ }
+
+- if(avctx->codec || !codec) {
+- ret = AVERROR(EINVAL);
+- goto end;
+- }
+-
+ avctx->internal = av_mallocz(sizeof(AVCodecInternal));
+ if (!avctx->internal) {
+ ret = AVERROR(ENOMEM);
+diff --git a/libavformat/utils.c b/libavformat/utils.c
+index 3733a50..f2d5502 100644
+--- a/libavformat/utils.c
++++ b/libavformat/utils.c
+@@ -2140,7 +2140,9 @@ static int try_decode_frame(AVStream *st, AVPacket *avpkt, AVDictionary **option
+ if (!avcodec_is_open(st->codec)) {
+ AVDictionary *thread_opt = NULL;
+
+- codec = avcodec_find_decoder(st->codec->codec_id);
++ codec = st->codec->codec ? st->codec->codec :
++ avcodec_find_decoder(st->codec->codec_id);
++
+ if (!codec)
+ return -1;
+
+@@ -2306,8 +2308,8 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options)
+ st->parser->flags |= PARSER_FLAG_COMPLETE_FRAMES;
+ }
+ }
+- assert(!st->codec->codec);
+- codec = avcodec_find_decoder(st->codec->codec_id);
++ codec = st->codec->codec ? st->codec->codec :
++ avcodec_find_decoder(st->codec->codec_id);
+
+ /* force thread count to 1 since the h264 decoder will not extract SPS
+ * and PPS to extradata during multi-threaded decoding */
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0004-qdm2-Check-data-block-size-for-bytes-to-bits-overflo.patch b/debian/patches/post-0.8/0004-qdm2-Check-data-block-size-for-bytes-to-bits-overflo.patch
new file mode 100644
index 0000000..1aa1ecc
--- /dev/null
+++ b/debian/patches/post-0.8/0004-qdm2-Check-data-block-size-for-bytes-to-bits-overflo.patch
@@ -0,0 +1,34 @@
+From e364f507183634a9134eea0e004c8ae448e54469 Mon Sep 17 00:00:00 2001
+From: Alex Converse <alex.converse at gmail.com>
+Date: Wed, 25 Jan 2012 15:27:11 -0800
+Subject: [PATCH 04/80] qdm2: Check data block size for bytes to bits
+ overflow.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+
+CC: libav-stable at libav.org
+(cherry picked from commit dac56d9ce01eb9963f28f26b97a81db5cbd46c1c)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/qdm2.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
+index 91c47a8..6acb7d8 100644
+--- a/libavcodec/qdm2.c
++++ b/libavcodec/qdm2.c
+@@ -1819,6 +1819,10 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx)
+ extradata += 4;
+
+ s->checksum_size = AV_RB32(extradata);
++ if (s->checksum_size >= 1U << 28) {
++ av_log(avctx, AV_LOG_ERROR, "data block size too large (%u)\n", s->checksum_size);
++ return AVERROR_INVALIDDATA;
++ }
+
+ s->fft_order = av_log2(s->fft_size) + 1;
+ s->fft_frame_size = 2 * s->fft_size; // complex has two floats
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0005-libavcodec-Don-t-crash-in-avcodec_encode_audio-if-ti.patch b/debian/patches/post-0.8/0005-libavcodec-Don-t-crash-in-avcodec_encode_audio-if-ti.patch
new file mode 100644
index 0000000..a3b8dbc
--- /dev/null
+++ b/debian/patches/post-0.8/0005-libavcodec-Don-t-crash-in-avcodec_encode_audio-if-ti.patch
@@ -0,0 +1,45 @@
+From fc89f15497c2b5b78a992c98eaba9fca7cc82f8f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Martin=20Storsj=C3=B6?= <martin at martin.st>
+Date: Thu, 26 Jan 2012 21:37:38 +0200
+Subject: [PATCH 05/80] libavcodec: Don't crash in avcodec_encode_audio if
+ time_base isn't set
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Earlier, calling avcodec_encode_audio worked fine even if time_base
+wasn't set. Now it crashes due to trying to scale the output pts to
+the codec context time base. This affects e.g. VLC.
+
+If no time_base is set for audio codecs, set it to the sample
+rate.
+
+CC: libav-stable at libav.org
+Signed-off-by: Martin Storsjö <martin at martin.st>
+(cherry picked from commit 9a7dc618c50902e7a171f2deda6430d52c277a95)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/utils.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/utils.c b/libavcodec/utils.c
+index 5109bf8..f64bff8 100644
+--- a/libavcodec/utils.c
++++ b/libavcodec/utils.c
+@@ -744,6 +744,12 @@ int attribute_align_arg avcodec_open2(AVCodecContext *avctx, AVCodec *codec, AVD
+ avctx->error_recognition, avctx->err_recognition);
+ #endif
+
++ if (avctx->codec_type == AVMEDIA_TYPE_AUDIO &&
++ (!avctx->time_base.num || !avctx->time_base.den)) {
++ avctx->time_base.num = 1;
++ avctx->time_base.den = avctx->sample_rate;
++ }
++
+ if (HAVE_THREADS && !avctx->thread_opaque) {
+ ret = ff_thread_init(avctx);
+ if (ret < 0) {
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0006-swscale-fix-V-plane-memory-location-in-bilinear-unsc.patch b/debian/patches/post-0.8/0006-swscale-fix-V-plane-memory-location-in-bilinear-unsc.patch
new file mode 100644
index 0000000..5e6107e
--- /dev/null
+++ b/debian/patches/post-0.8/0006-swscale-fix-V-plane-memory-location-in-bilinear-unsc.patch
@@ -0,0 +1,99 @@
+From a2c8db1b792670f8987c0580bb71ca0f29708d8b Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Tue, 7 Feb 2012 11:33:20 -0800
+Subject: [PATCH 06/80] swscale: fix V plane memory location in
+ bilinear/unscaled RGB/YUYV case.
+
+Fixes bug 221.
+
+CC: libav-stable at libav.org
+(cherry picked from commit b7542dd3d71d1ee873277020b6a8eab2674bb167)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libswscale/x86/swscale_template.c | 24 ++++++++++++------------
+ 1 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/libswscale/x86/swscale_template.c b/libswscale/x86/swscale_template.c
+index e38f58b..5db166b 100644
+--- a/libswscale/x86/swscale_template.c
++++ b/libswscale/x86/swscale_template.c
+@@ -688,10 +688,10 @@ static void RENAME(yuv2yuyv422_X)(SwsContext *c, const int16_t *lumFilter,
+ "1: \n\t"\
+ "movq (%2, "#index"), %%mm2 \n\t" /* uvbuf0[eax]*/\
+ "movq (%3, "#index"), %%mm3 \n\t" /* uvbuf1[eax]*/\
+- "add "UV_OFF_PX"("#c"), "#index" \n\t" \
++ "add "UV_OFF_BYTE"("#c"), "#index" \n\t" \
+ "movq (%2, "#index"), %%mm5 \n\t" /* uvbuf0[eax+2048]*/\
+ "movq (%3, "#index"), %%mm4 \n\t" /* uvbuf1[eax+2048]*/\
+- "sub "UV_OFF_PX"("#c"), "#index" \n\t" \
++ "sub "UV_OFF_BYTE"("#c"), "#index" \n\t" \
+ "psubw %%mm3, %%mm2 \n\t" /* uvbuf0[eax] - uvbuf1[eax]*/\
+ "psubw %%mm4, %%mm5 \n\t" /* uvbuf0[eax+2048] - uvbuf1[eax+2048]*/\
+ "movq "CHR_MMX_FILTER_OFFSET"+8("#c"), %%mm0 \n\t"\
+@@ -919,10 +919,10 @@ static void RENAME(yuv2rgb565_2)(SwsContext *c, const int16_t *buf[2],
+ "1: \n\t"\
+ "movq (%2, "#index"), %%mm2 \n\t" /* uvbuf0[eax]*/\
+ "movq (%3, "#index"), %%mm3 \n\t" /* uvbuf1[eax]*/\
+- "add "UV_OFF_PX"("#c"), "#index" \n\t" \
++ "add "UV_OFF_BYTE"("#c"), "#index" \n\t" \
+ "movq (%2, "#index"), %%mm5 \n\t" /* uvbuf0[eax+2048]*/\
+ "movq (%3, "#index"), %%mm4 \n\t" /* uvbuf1[eax+2048]*/\
+- "sub "UV_OFF_PX"("#c"), "#index" \n\t" \
++ "sub "UV_OFF_BYTE"("#c"), "#index" \n\t" \
+ "psubw %%mm3, %%mm2 \n\t" /* uvbuf0[eax] - uvbuf1[eax]*/\
+ "psubw %%mm4, %%mm5 \n\t" /* uvbuf0[eax+2048] - uvbuf1[eax+2048]*/\
+ "movq "CHR_MMX_FILTER_OFFSET"+8("#c"), %%mm0 \n\t"\
+@@ -974,9 +974,9 @@ static void RENAME(yuv2yuyv422_2)(SwsContext *c, const int16_t *buf[2],
+ ".p2align 4 \n\t"\
+ "1: \n\t"\
+ "movq (%2, "#index"), %%mm3 \n\t" /* uvbuf0[eax]*/\
+- "add "UV_OFF_PX"("#c"), "#index" \n\t" \
++ "add "UV_OFF_BYTE"("#c"), "#index" \n\t" \
+ "movq (%2, "#index"), %%mm4 \n\t" /* uvbuf0[eax+2048]*/\
+- "sub "UV_OFF_PX"("#c"), "#index" \n\t" \
++ "sub "UV_OFF_BYTE"("#c"), "#index" \n\t" \
+ "psraw $4, %%mm3 \n\t" /* uvbuf0[eax] - uvbuf1[eax] >>4*/\
+ "psraw $4, %%mm4 \n\t" /* uvbuf0[eax+2048] - uvbuf1[eax+2048] >>4*/\
+ "psubw "U_OFFSET"("#c"), %%mm3 \n\t" /* (U-128)8*/\
+@@ -1027,10 +1027,10 @@ static void RENAME(yuv2yuyv422_2)(SwsContext *c, const int16_t *buf[2],
+ "1: \n\t"\
+ "movq (%2, "#index"), %%mm2 \n\t" /* uvbuf0[eax]*/\
+ "movq (%3, "#index"), %%mm3 \n\t" /* uvbuf1[eax]*/\
+- "add "UV_OFF_PX"("#c"), "#index" \n\t" \
++ "add "UV_OFF_BYTE"("#c"), "#index" \n\t" \
+ "movq (%2, "#index"), %%mm5 \n\t" /* uvbuf0[eax+2048]*/\
+ "movq (%3, "#index"), %%mm4 \n\t" /* uvbuf1[eax+2048]*/\
+- "sub "UV_OFF_PX"("#c"), "#index" \n\t" \
++ "sub "UV_OFF_BYTE"("#c"), "#index" \n\t" \
+ "paddw %%mm2, %%mm3 \n\t" /* uvbuf0[eax] + uvbuf1[eax]*/\
+ "paddw %%mm5, %%mm4 \n\t" /* uvbuf0[eax+2048] + uvbuf1[eax+2048]*/\
+ "psrlw $5, %%mm3 \n\t" /*FIXME might overflow*/\
+@@ -1294,9 +1294,9 @@ static void RENAME(yuv2rgb565_1)(SwsContext *c, const int16_t *buf0,
+ ".p2align 4 \n\t"\
+ "1: \n\t"\
+ "movq (%2, "#index"), %%mm3 \n\t" /* uvbuf0[eax]*/\
+- "add "UV_OFF_PX"("#c"), "#index" \n\t" \
++ "add "UV_OFF_BYTE"("#c"), "#index" \n\t" \
+ "movq (%2, "#index"), %%mm4 \n\t" /* uvbuf0[eax+2048]*/\
+- "sub "UV_OFF_PX"("#c"), "#index" \n\t" \
++ "sub "UV_OFF_BYTE"("#c"), "#index" \n\t" \
+ "psraw $7, %%mm3 \n\t" \
+ "psraw $7, %%mm4 \n\t" \
+ "movq (%0, "#index", 2), %%mm1 \n\t" /*buf0[eax]*/\
+@@ -1312,10 +1312,10 @@ static void RENAME(yuv2rgb565_1)(SwsContext *c, const int16_t *buf0,
+ "1: \n\t"\
+ "movq (%2, "#index"), %%mm2 \n\t" /* uvbuf0[eax]*/\
+ "movq (%3, "#index"), %%mm3 \n\t" /* uvbuf1[eax]*/\
+- "add "UV_OFF_PX"("#c"), "#index" \n\t" \
++ "add "UV_OFF_BYTE"("#c"), "#index" \n\t" \
+ "movq (%2, "#index"), %%mm5 \n\t" /* uvbuf0[eax+2048]*/\
+ "movq (%3, "#index"), %%mm4 \n\t" /* uvbuf1[eax+2048]*/\
+- "sub "UV_OFF_PX"("#c"), "#index" \n\t" \
++ "sub "UV_OFF_BYTE"("#c"), "#index" \n\t" \
+ "paddw %%mm2, %%mm3 \n\t" /* uvbuf0[eax] + uvbuf1[eax]*/\
+ "paddw %%mm5, %%mm4 \n\t" /* uvbuf0[eax+2048] + uvbuf1[eax+2048]*/\
+ "psrlw $8, %%mm3 \n\t" \
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0007-h264-disallow-constrained-intra-prediction-modes-for.patch b/debian/patches/post-0.8/0007-h264-disallow-constrained-intra-prediction-modes-for.patch
new file mode 100644
index 0000000..9e84f4a
--- /dev/null
+++ b/debian/patches/post-0.8/0007-h264-disallow-constrained-intra-prediction-modes-for.patch
@@ -0,0 +1,125 @@
+From 4c7879775e81ccca8f0f1d2a7b70524ee47b16ca Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Thu, 9 Feb 2012 22:57:01 -0800
+Subject: [PATCH 07/80] h264: disallow constrained intra prediction modes for
+ luma.
+
+Conversion of the luma intra prediction mode to one of the constrained
+("alzheimer") ones can happen by crafting special bitstreams, causing
+a crash because we'll call a NULL function pointer for 16x16 block intra
+prediction, since constrained intra prediction functions are only
+implemented for chroma (8x8 blocks).
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 45b7bd7c53b41bc5ff6fc2158831f2b1b1256113)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/h264.c | 4 ++--
+ libavcodec/h264.h | 2 +-
+ libavcodec/h264_cabac.c | 4 ++--
+ libavcodec/h264_cavlc.c | 4 ++--
+ libavcodec/svq3.c | 4 ++--
+ 5 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/libavcodec/h264.c b/libavcodec/h264.c
+index 581848b..e92acbd 100644
+--- a/libavcodec/h264.c
++++ b/libavcodec/h264.c
+@@ -105,7 +105,7 @@ int ff_h264_check_intra4x4_pred_mode(H264Context *h){
+ * Check if the top & left blocks are available if needed and
+ * change the dc mode so it only uses the available blocks.
+ */
+-int ff_h264_check_intra_pred_mode(H264Context *h, int mode){
++int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma){
+ MpegEncContext * const s = &h->s;
+ static const int8_t top [7]= {LEFT_DC_PRED8x8, 1,-1,-1};
+ static const int8_t left[7]= { TOP_DC_PRED8x8,-1, 2,-1,DC_128_PRED8x8};
+@@ -125,7 +125,7 @@ int ff_h264_check_intra_pred_mode(H264Context *h, int mode){
+
+ if((h->left_samples_available&0x8080) != 0x8080){
+ mode= left[ mode ];
+- if(h->left_samples_available&0x8080){ //mad cow disease mode, aka MBAFF + constrained_intra_pred
++ if(is_chroma && (h->left_samples_available&0x8080)){ //mad cow disease mode, aka MBAFF + constrained_intra_pred
+ mode= ALZHEIMER_DC_L0T_PRED8x8 + (!(h->left_samples_available&0x8000)) + 2*(mode == DC_128_PRED8x8);
+ }
+ if(mode<0){
+diff --git a/libavcodec/h264.h b/libavcodec/h264.h
+index 5025538..8680f5f 100644
+--- a/libavcodec/h264.h
++++ b/libavcodec/h264.h
+@@ -657,7 +657,7 @@ int ff_h264_check_intra4x4_pred_mode(H264Context *h);
+ /**
+ * Check if the top & left blocks are available if needed & change the dc mode so it only uses the available blocks.
+ */
+-int ff_h264_check_intra_pred_mode(H264Context *h, int mode);
++int ff_h264_check_intra_pred_mode(H264Context *h, int mode, int is_chroma);
+
+ void ff_h264_hl_decode_mb(H264Context *h);
+ int ff_h264_frame_start(H264Context *h);
+diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c
+index a49ac6d..75fb02c 100644
+--- a/libavcodec/h264_cabac.c
++++ b/libavcodec/h264_cabac.c
+@@ -2040,14 +2040,14 @@ decode_intra_mb:
+ write_back_intra_pred_mode(h);
+ if( ff_h264_check_intra4x4_pred_mode(h) < 0 ) return -1;
+ } else {
+- h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode( h, h->intra16x16_pred_mode );
++ h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode( h, h->intra16x16_pred_mode, 0 );
+ if( h->intra16x16_pred_mode < 0 ) return -1;
+ }
+ if(decode_chroma){
+ h->chroma_pred_mode_table[mb_xy] =
+ pred_mode = decode_cabac_mb_chroma_pre_mode( h );
+
+- pred_mode= ff_h264_check_intra_pred_mode( h, pred_mode );
++ pred_mode= ff_h264_check_intra_pred_mode( h, pred_mode, 1 );
+ if( pred_mode < 0 ) return -1;
+ h->chroma_pred_mode= pred_mode;
+ } else {
+diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c
+index db74602..da9e1cb 100644
+--- a/libavcodec/h264_cavlc.c
++++ b/libavcodec/h264_cavlc.c
+@@ -822,12 +822,12 @@ decode_intra_mb:
+ if( ff_h264_check_intra4x4_pred_mode(h) < 0)
+ return -1;
+ }else{
+- h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode(h, h->intra16x16_pred_mode);
++ h->intra16x16_pred_mode= ff_h264_check_intra_pred_mode(h, h->intra16x16_pred_mode, 0);
+ if(h->intra16x16_pred_mode < 0)
+ return -1;
+ }
+ if(decode_chroma){
+- pred_mode= ff_h264_check_intra_pred_mode(h, get_ue_golomb_31(&s->gb));
++ pred_mode= ff_h264_check_intra_pred_mode(h, get_ue_golomb_31(&s->gb), 1);
+ if(pred_mode < 0)
+ return -1;
+ h->chroma_pred_mode= pred_mode;
+diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c
+index 3cd95ba..5cc57a7 100644
+--- a/libavcodec/svq3.c
++++ b/libavcodec/svq3.c
+@@ -612,7 +612,7 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type)
+ dir = i_mb_type_info[mb_type - 8].pred_mode;
+ dir = (dir >> 1) ^ 3*(dir & 1) ^ 1;
+
+- if ((h->intra16x16_pred_mode = ff_h264_check_intra_pred_mode(h, dir)) == -1){
++ if ((h->intra16x16_pred_mode = ff_h264_check_intra_pred_mode(h, dir, 0)) == -1){
+ av_log(h->s.avctx, AV_LOG_ERROR, "check_intra_pred_mode = -1\n");
+ return -1;
+ }
+@@ -711,7 +711,7 @@ static int svq3_decode_mb(SVQ3Context *svq3, unsigned int mb_type)
+ s->current_picture.f.mb_type[mb_xy] = mb_type;
+
+ if (IS_INTRA(mb_type)) {
+- h->chroma_pred_mode = ff_h264_check_intra_pred_mode(h, DC_PRED8x8);
++ h->chroma_pred_mode = ff_h264_check_intra_pred_mode(h, DC_PRED8x8, 1);
+ }
+
+ return 0;
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0008-ws_snd1-Fix-wrong-samples-count-and-crash.patch b/debian/patches/post-0.8/0008-ws_snd1-Fix-wrong-samples-count-and-crash.patch
new file mode 100644
index 0000000..ebe7c6b
--- /dev/null
+++ b/debian/patches/post-0.8/0008-ws_snd1-Fix-wrong-samples-count-and-crash.patch
@@ -0,0 +1,34 @@
+From 697a45d861b7cd6a96718383a44f41348487f844 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni at gmx.at>
+Date: Sun, 25 Dec 2011 00:10:27 +0100
+Subject: [PATCH 08/80] ws_snd1: Fix wrong samples count and crash.
+
+Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
+(cherry picked from commit 9fb7a5af97d8c084c3af2566070d09eae0ab49fc)
+
+Addresses CVE-2012-0848
+
+Reviewed-by: Justin Ruggles <justin.ruggles at gmail.com>
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/ws-snd1.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/ws-snd1.c b/libavcodec/ws-snd1.c
+index b2d086e..15eb6f8 100644
+--- a/libavcodec/ws-snd1.c
++++ b/libavcodec/ws-snd1.c
+@@ -112,8 +112,8 @@ static int ws_snd_decode_frame(AVCodecContext *avctx, void *data,
+
+ /* make sure we don't write past the output buffer */
+ switch (code) {
+- case 0: smp = 4; break;
+- case 1: smp = 2; break;
++ case 0: smp = 4*(count+1); break;
++ case 1: smp = 2*(count+1); break;
+ case 2: smp = (count & 0x20) ? 1 : count + 1; break;
+ default: smp = count + 1; break;
+ }
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0009-atrac3-Fix-crash-in-tonal-component-decoding.patch b/debian/patches/post-0.8/0009-atrac3-Fix-crash-in-tonal-component-decoding.patch
new file mode 100644
index 0000000..5290b0f
--- /dev/null
+++ b/debian/patches/post-0.8/0009-atrac3-Fix-crash-in-tonal-component-decoding.patch
@@ -0,0 +1,37 @@
+From f43b6e2b1ed47a1254a5d44c700a7fad5e9784be Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni at gmx.at>
+Date: Sat, 17 Dec 2011 03:18:58 +0100
+Subject: [PATCH 09/80] atrac3: Fix crash in tonal component decoding.
+
+Add a check to avoid writing past the end of the channel_unit.components[]
+array.
+
+Bug Found by: cosminamironesei
+Fixes CVE-2012-0853
+CC: libav-stable at libav.org
+
+Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
+Signed-off-by: Justin Ruggles <justin.ruggles at gmail.com>
+(cherry picked from commit c509f4f74713b035a06f79cb4d00e708f5226bc5)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/atrac3.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c
+index 6dec6a3..107c6ff 100644
+--- a/libavcodec/atrac3.c
++++ b/libavcodec/atrac3.c
+@@ -402,6 +402,8 @@ static int decodeTonalComponents (GetBitContext *gb, tonal_component *pComponent
+
+ for (k=0; k<coded_components; k++) {
+ sfIndx = get_bits(gb,6);
++ if (component_count >= 64)
++ return AVERROR_INVALIDDATA;
+ pComponent[component_count].pos = j * 64 + (get_bits(gb,6));
+ max_coded_values = SAMPLES_PER_FRAME - pComponent[component_count].pos;
+ coded_values = coded_values_per_component + 1;
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0010-shorten-Use-separate-pointers-for-the-allocated-memo.patch b/debian/patches/post-0.8/0010-shorten-Use-separate-pointers-for-the-allocated-memo.patch
new file mode 100644
index 0000000..9d0df23
--- /dev/null
+++ b/debian/patches/post-0.8/0010-shorten-Use-separate-pointers-for-the-allocated-memo.patch
@@ -0,0 +1,66 @@
+From 6fc3287b9ccece290c5881b92948772bbf72e68c Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michaelni at gmx.at>
+Date: Sun, 25 Dec 2011 12:28:50 +0100
+Subject: [PATCH 10/80] shorten: Use separate pointers for the allocated
+ memory for decoded samples.
+
+Fixes invalid free() if any of the buffers are not allocated due to either
+not decoding a header or an error prior to allocating all buffers.
+
+Fixes CVE-2012-0858
+CC: libav-stable at libav.org
+
+Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
+Signed-off-by: Justin Ruggles <justin.ruggles at gmail.com>
+(cherry picked from commit 204cb29b3c84a74cbcd059d353c70c8bdc567d98)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/shorten.c | 14 ++++++++------
+ 1 files changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
+index eb67df7..83777fb 100644
+--- a/libavcodec/shorten.c
++++ b/libavcodec/shorten.c
+@@ -86,6 +86,7 @@ typedef struct ShortenContext {
+ int channels;
+
+ int32_t *decoded[MAX_CHANNELS];
++ int32_t *decoded_base[MAX_CHANNELS];
+ int32_t *offset[MAX_CHANNELS];
+ int *coeffs;
+ uint8_t *bitstream;
+@@ -140,13 +141,14 @@ static int allocate_buffers(ShortenContext *s)
+ return AVERROR(ENOMEM);
+ s->offset[chan] = tmp_ptr;
+
+- tmp_ptr = av_realloc(s->decoded[chan], sizeof(int32_t)*(s->blocksize + s->nwrap));
++ tmp_ptr = av_realloc(s->decoded_base[chan], (s->blocksize + s->nwrap) *
++ sizeof(s->decoded_base[0][0]));
+ if (!tmp_ptr)
+ return AVERROR(ENOMEM);
+- s->decoded[chan] = tmp_ptr;
++ s->decoded_base[chan] = tmp_ptr;
+ for (i=0; i<s->nwrap; i++)
+- s->decoded[chan][i] = 0;
+- s->decoded[chan] += s->nwrap;
++ s->decoded_base[chan][i] = 0;
++ s->decoded[chan] = s->decoded_base[chan] + s->nwrap;
+ }
+
+ coeffs = av_realloc(s->coeffs, s->nwrap * sizeof(*s->coeffs));
+@@ -615,8 +617,8 @@ static av_cold int shorten_decode_close(AVCodecContext *avctx)
+ int i;
+
+ for (i = 0; i < s->channels; i++) {
+- s->decoded[i] -= s->nwrap;
+- av_freep(&s->decoded[i]);
++ s->decoded[i] = NULL;
++ av_freep(&s->decoded_base[i]);
+ av_freep(&s->offset[i]);
+ }
+ av_freep(&s->bitstream);
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0011-golomb-avoid-infinite-loop-on-all-zero-input-or-end-.patch b/debian/patches/post-0.8/0011-golomb-avoid-infinite-loop-on-all-zero-input-or-end-.patch
new file mode 100644
index 0000000..ee85a73
--- /dev/null
+++ b/debian/patches/post-0.8/0011-golomb-avoid-infinite-loop-on-all-zero-input-or-end-.patch
@@ -0,0 +1,40 @@
+From e1f2a6a32b86fef0916338e21851c9b4f499f706 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Tue, 14 Feb 2012 11:50:57 -0800
+Subject: [PATCH 11/80] golomb: avoid infinite loop on all-zero input (or end
+ of buffer).
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit c6643fddba73560f26f90d327c84d8832222a720)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/golomb.h | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h
+index 503aa14..e19064c 100644
+--- a/libavcodec/golomb.h
++++ b/libavcodec/golomb.h
+@@ -123,7 +123,7 @@ static inline int svq3_get_ue_golomb(GetBitContext *gb){
+ }else{
+ int ret = 1;
+
+- while (1) {
++ do {
+ buf >>= 32 - 8;
+ LAST_SKIP_BITS(re, gb, FFMIN(ff_interleaved_golomb_vlc_len[buf], 8));
+
+@@ -135,7 +135,7 @@ static inline int svq3_get_ue_golomb(GetBitContext *gb){
+ ret = (ret << 4) | ff_interleaved_dirac_golomb_vlc_code[buf];
+ UPDATE_CACHE(re, gb);
+ buf = GET_CACHE(re, gb);
+- }
++ } while (ret);
+
+ CLOSE_READER(re, gb);
+ return ret - 1;
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0012-get_bits-add-HAVE_BITS_REMAINING-macro.patch b/debian/patches/post-0.8/0012-get_bits-add-HAVE_BITS_REMAINING-macro.patch
new file mode 100644
index 0000000..3ace825
--- /dev/null
+++ b/debian/patches/post-0.8/0012-get_bits-add-HAVE_BITS_REMAINING-macro.patch
@@ -0,0 +1,52 @@
+From 25b4ed053f0e4c48b4b4afdcf84306bbd7752314 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Wed, 22 Feb 2012 12:09:33 -0800
+Subject: [PATCH 12/80] get_bits: add HAVE_BITS_REMAINING macro.
+
+(cherry picked from commit b44b41633f110e9d938165e0f79c9d32191fc135)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/get_bits.h | 15 ++++++++++++++-
+ 1 files changed, 14 insertions(+), 1 deletions(-)
+
+diff --git a/libavcodec/get_bits.h b/libavcodec/get_bits.h
+index 1668600..ee47441 100644
+--- a/libavcodec/get_bits.h
++++ b/libavcodec/get_bits.h
+@@ -120,10 +120,23 @@ for examples see get_bits, show_bits, skip_bits, get_vlc
+ # define MIN_CACHE_BITS 25
+ #endif
+
++#if UNCHECKED_BITSTREAM_READER
+ #define OPEN_READER(name, gb) \
+ unsigned int name##_index = (gb)->index; \
+ unsigned int av_unused name##_cache = 0
+
++#define HAVE_BITS_REMAINING(name, gb) 1
++#else
++#define OPEN_READER(name, gb) \
++ unsigned int name##_index = (gb)->index; \
++ unsigned int av_unused name##_cache = 0; \
++ unsigned int av_unused name##_size_plus8 = \
++ (gb)->size_in_bits_plus8
++
++#define HAVE_BITS_REMAINING(name, gb) \
++ name##_index < name##_size_plus8
++#endif
++
+ #define CLOSE_READER(name, gb) (gb)->index = name##_index
+
+ #ifdef BITSTREAM_READER_LE
+@@ -156,7 +169,7 @@ for examples see get_bits, show_bits, skip_bits, get_vlc
+ # define SKIP_COUNTER(name, gb, num) name##_index += (num)
+ #else
+ # define SKIP_COUNTER(name, gb, num) \
+- name##_index = FFMIN((gb)->size_in_bits_plus8, name##_index + (num))
++ name##_index = FFMIN(name##_size_plus8, name##_index + (num))
+ #endif
+
+ #define SKIP_BITS(name, gb, num) do { \
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0013-golomb-use-HAVE_BITS_REMAINING-macro-to-prevent-infl.patch b/debian/patches/post-0.8/0013-golomb-use-HAVE_BITS_REMAINING-macro-to-prevent-infl.patch
new file mode 100644
index 0000000..16345eb
--- /dev/null
+++ b/debian/patches/post-0.8/0013-golomb-use-HAVE_BITS_REMAINING-macro-to-prevent-infl.patch
@@ -0,0 +1,31 @@
+From e43bd4fa58b8e72eedad9a1c160b12bf8915d45e Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Fri, 17 Feb 2012 12:54:37 -0800
+Subject: [PATCH 13/80] golomb: use HAVE_BITS_REMAINING() macro to prevent
+ infloop on EOF.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 46b3fbc30b7aaf7fdd52391734cfd6d93af8720a)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/golomb.h | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h
+index e19064c..0deab87 100644
+--- a/libavcodec/golomb.h
++++ b/libavcodec/golomb.h
+@@ -135,7 +135,7 @@ static inline int svq3_get_ue_golomb(GetBitContext *gb){
+ ret = (ret << 4) | ff_interleaved_dirac_golomb_vlc_code[buf];
+ UPDATE_CACHE(re, gb);
+ buf = GET_CACHE(re, gb);
+- } while (ret);
++ } while (HAVE_BITS_REMAINING(re, gb));
+
+ CLOSE_READER(re, gb);
+ return ret - 1;
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0014-flac-fix-infinite-loops-on-all-zero-input-or-end-of-.patch b/debian/patches/post-0.8/0014-flac-fix-infinite-loops-on-all-zero-input-or-end-of-.patch
new file mode 100644
index 0000000..3fc3c9e
--- /dev/null
+++ b/debian/patches/post-0.8/0014-flac-fix-infinite-loops-on-all-zero-input-or-end-of-.patch
@@ -0,0 +1,53 @@
+From 6dcbbdc0116a50370d66f0f20d74a70d56568382 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Wed, 15 Feb 2012 09:52:11 -0800
+Subject: [PATCH 14/80] flac: fix infinite loops on all-zero input or
+ end-of-stream.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 52e4018be47697a60f4f18f83551766df31f5adf)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/flacdec.c | 9 +++++++++
+ libavcodec/golomb.h | 2 +-
+ 2 files changed, 10 insertions(+), 1 deletions(-)
+
+diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c
+index 58eb66d..440a55d 100644
+--- a/libavcodec/flacdec.c
++++ b/libavcodec/flacdec.c
+@@ -422,7 +422,16 @@ static inline int decode_subframe(FLACContext *s, int channel)
+ type = get_bits(&s->gb, 6);
+
+ if (get_bits1(&s->gb)) {
++ int left = get_bits_left(&s->gb);
+ wasted = 1;
++ if ( left < 0 ||
++ (left < s->curr_bps && !show_bits_long(&s->gb, left)) ||
++ !show_bits_long(&s->gb, s->curr_bps)) {
++ av_log(s->avctx, AV_LOG_ERROR,
++ "Invalid number of wasted bits > available bits (%d) - left=%d\n",
++ s->curr_bps, left);
++ return AVERROR_INVALIDDATA;
++ }
+ while (!get_bits1(&s->gb))
+ wasted++;
+ s->curr_bps -= wasted;
+diff --git a/libavcodec/golomb.h b/libavcodec/golomb.h
+index 0deab87..1712540 100644
+--- a/libavcodec/golomb.h
++++ b/libavcodec/golomb.h
+@@ -301,7 +301,7 @@ static inline int get_ur_golomb_jpegls(GetBitContext *gb, int k, int limit, int
+ return buf;
+ }else{
+ int i;
+- for(i=0; SHOW_UBITS(re, gb, 1) == 0; i++){
++ for (i = 0; i < limit && SHOW_UBITS(re, gb, 1) == 0; i++) {
+ LAST_SKIP_BITS(re, gb, 1);
+ UPDATE_CACHE(re, gb);
+ }
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0015-rv20-prevent-calling-ff_h263_decode_mba-with-unset-h.patch b/debian/patches/post-0.8/0015-rv20-prevent-calling-ff_h263_decode_mba-with-unset-h.patch
new file mode 100644
index 0000000..04c18f5
--- /dev/null
+++ b/debian/patches/post-0.8/0015-rv20-prevent-calling-ff_h263_decode_mba-with-unset-h.patch
@@ -0,0 +1,34 @@
+From ba418ad4005a2cc2f18cdfa089d0bcd55225b30e Mon Sep 17 00:00:00 2001
+From: Janne Grunau <janne-libav at jannau.net>
+Date: Tue, 24 Jan 2012 21:50:50 +0100
+Subject: [PATCH 15/80] rv20: prevent calling ff_h263_decode_mba() with unset
+ height/width
+
+Prevents a crash of VLC during playback of a invalid matroska file,
+found by John Villamil <johnv at matasano.com>.
+
+CC: libav-stable at libav.org
+(cherry picked from commit c3e10ae4127c998b809066926a410f40ebd47593)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libavcodec/rv10.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c
+index 1d78c92..ccc0944 100644
+--- a/libavcodec/rv10.c
++++ b/libavcodec/rv10.c
+@@ -362,7 +362,8 @@ static int rv20_decode_picture_header(MpegEncContext *s)
+ if(s->avctx->debug & FF_DEBUG_PICT_INFO){
+ av_log(s->avctx, AV_LOG_DEBUG, "F %d/%d\n", f, rpr_bits);
+ }
+- }
++ } else if (av_image_check_size(s->width, s->height, 0, s->avctx) < 0)
++ return AVERROR_INVALIDDATA;
+
+ mb_pos = ff_h263_decode_mba(s);
+
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0016-wma-Clip-WMA1-and-WMA2-frame-length-to-11-bits.patch b/debian/patches/post-0.8/0016-wma-Clip-WMA1-and-WMA2-frame-length-to-11-bits.patch
new file mode 100644
index 0000000..7d09537
--- /dev/null
+++ b/debian/patches/post-0.8/0016-wma-Clip-WMA1-and-WMA2-frame-length-to-11-bits.patch
@@ -0,0 +1,37 @@
+From ad0ee682b3cf663eb319020086f64da11d17dd82 Mon Sep 17 00:00:00 2001
+From: Alex Converse <alex.converse at gmail.com>
+Date: Tue, 24 Jan 2012 18:43:43 -0800
+Subject: [PATCH 16/80] wma: Clip WMA1 and WMA2 frame length to 11 bits.
+
+The MDCT buffers in the decoder are only sized for up to 11 bits. The
+reverse engineered documentation for WMA1/2 headers say that that for
+all samplerates above 32kHz 11 bits are used. 12 and 13 bit support
+were added for WMAPro. I was unable to make any Microsoft tools generate
+a test file at a samplerate above 48kHz.
+
+Discovered by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+
+CC: libav-stable at libav.org
+(cherry picked from commit d78bb1a4b2a3a415b68e4e6dd448779eccec64e3)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libavcodec/wma.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/libavcodec/wma.c b/libavcodec/wma.c
+index 4cdffcd..d82fde7 100644
+--- a/libavcodec/wma.c
++++ b/libavcodec/wma.c
+@@ -85,7 +85,7 @@ int av_cold ff_wma_get_frame_len_bits(int sample_rate, int version,
+ } else if (sample_rate <= 22050 ||
+ (sample_rate <= 32000 && version == 1)) {
+ frame_len_bits = 10;
+- } else if (sample_rate <= 48000) {
++ } else if (sample_rate <= 48000 || version < 3) {
+ frame_len_bits = 11;
+ } else if (sample_rate <= 96000) {
+ frame_len_bits = 12;
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0017-aac-fix-infinite-loop-on-end-of-frame-with-sequence-.patch b/debian/patches/post-0.8/0017-aac-fix-infinite-loop-on-end-of-frame-with-sequence-.patch
new file mode 100644
index 0000000..9d1d02f
--- /dev/null
+++ b/debian/patches/post-0.8/0017-aac-fix-infinite-loop-on-end-of-frame-with-sequence-.patch
@@ -0,0 +1,56 @@
+From 683213230e6978302109253a48610a6b069ea43d Mon Sep 17 00:00:00 2001
+From: Alex Converse <alex.converse at gmail.com>
+Date: Wed, 22 Feb 2012 11:05:42 -0800
+Subject: [PATCH 17/80] aac: fix infinite loop on end-of-frame with sequence
+ of 1-bits.
+
+Based-on-work-by: Ronald S. Bultje <rsbultje at gmail.com>
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 1cd9a6154bc1ac1193c703cea980ed21c3e53792)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libavcodec/aacdec.c | 25 +++++++++++++------------
+ 1 files changed, 13 insertions(+), 12 deletions(-)
+
+diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c
+index ca1a876..2b9b45c 100644
+--- a/libavcodec/aacdec.c
++++ b/libavcodec/aacdec.c
+@@ -807,19 +807,20 @@ static int decode_band_types(AACContext *ac, enum BandType band_type[120],
+ av_log(ac->avctx, AV_LOG_ERROR, "invalid band type\n");
+ return -1;
+ }
+- while ((sect_len_incr = get_bits(gb, bits)) == (1 << bits) - 1)
++ do {
++ sect_len_incr = get_bits(gb, bits);
+ sect_end += sect_len_incr;
+- sect_end += sect_len_incr;
+- if (get_bits_left(gb) < 0) {
+- av_log(ac->avctx, AV_LOG_ERROR, overread_err);
+- return -1;
+- }
+- if (sect_end > ics->max_sfb) {
+- av_log(ac->avctx, AV_LOG_ERROR,
+- "Number of bands (%d) exceeds limit (%d).\n",
+- sect_end, ics->max_sfb);
+- return -1;
+- }
++ if (get_bits_left(gb) < 0) {
++ av_log(ac->avctx, AV_LOG_ERROR, overread_err);
++ return -1;
++ }
++ if (sect_end > ics->max_sfb) {
++ av_log(ac->avctx, AV_LOG_ERROR,
++ "Number of bands (%d) exceeds limit (%d).\n",
++ sect_end, ics->max_sfb);
++ return -1;
++ }
++ } while (sect_len_incr == (1 << bits) - 1);
+ for (; k < sect_end; k++) {
+ band_type [idx] = sect_band_type;
+ band_type_run_end[idx++] = sect_end;
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0018-matroskadec-Pad-AAC-extradata.patch b/debian/patches/post-0.8/0018-matroskadec-Pad-AAC-extradata.patch
new file mode 100644
index 0000000..5ac1bd6
--- /dev/null
+++ b/debian/patches/post-0.8/0018-matroskadec-Pad-AAC-extradata.patch
@@ -0,0 +1,31 @@
+From be0b3137d02e2e19bd470f2de888bdeb281b0214 Mon Sep 17 00:00:00 2001
+From: Alex Converse <alex.converse at gmail.com>
+Date: Wed, 25 Jan 2012 14:34:21 -0800
+Subject: [PATCH 18/80] matroskadec: Pad AAC extradata.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+
+CC: libav-stable at libav.org
+(cherry picked from commit d2ee8c17793201ce969afd1f433ba1580c143cd2)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libavformat/matroskadec.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
+index e5fbd43..5b91944 100644
+--- a/libavformat/matroskadec.c
++++ b/libavformat/matroskadec.c
+@@ -1440,7 +1440,7 @@ static int matroska_read_header(AVFormatContext *s, AVFormatParameters *ap)
+ } else if (codec_id == CODEC_ID_AAC && !track->codec_priv.size) {
+ int profile = matroska_aac_profile(track->codec_id);
+ int sri = matroska_aac_sri(track->audio.samplerate);
+- extradata = av_malloc(5);
++ extradata = av_mallocz(5 + FF_INPUT_BUFFER_PADDING_SIZE);
+ if (extradata == NULL)
+ return AVERROR(ENOMEM);
+ extradata[0] = (profile << 3) | ((sri&0x0E) >> 1);
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0019-matroska-don-t-overwrite-string-values-until-read-al.patch b/debian/patches/post-0.8/0019-matroska-don-t-overwrite-string-values-until-read-al.patch
new file mode 100644
index 0000000..5e21a94
--- /dev/null
+++ b/debian/patches/post-0.8/0019-matroska-don-t-overwrite-string-values-until-read-al.patch
@@ -0,0 +1,54 @@
+From 183e0eb5b9a8780b9879bd78b20ad9156d756a01 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Fri, 24 Feb 2012 16:12:18 -0800
+Subject: [PATCH 19/80] matroska: don't overwrite string values until
+ read/alloc was succesful.
+
+This prevents certain tags with a default value assigned to them (as per
+the EBML syntax elements) from ever being assigned a NULL value. Other
+parts of the code rely on these being non-NULL (i.e. they don't check for
+NULL before e.g. using the string in strcmp() or similar), and thus in
+effect this prevents crashes when reading of such specific tags fails,
+either because of low memory or because of targeted file corruption.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit cd40c31ee9ad2cca6f3635950b002fd46be07e98)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libavformat/matroskadec.c | 13 ++++++++-----
+ 1 files changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
+index 5b91944..1987b50 100644
+--- a/libavformat/matroskadec.c
++++ b/libavformat/matroskadec.c
+@@ -639,16 +639,19 @@ static int ebml_read_float(AVIOContext *pb, int size, double *num)
+ */
+ static int ebml_read_ascii(AVIOContext *pb, int size, char **str)
+ {
+- av_free(*str);
++ char *res;
++
+ /* EBML strings are usually not 0-terminated, so we allocate one
+ * byte more, read the string and NULL-terminate it ourselves. */
+- if (!(*str = av_malloc(size + 1)))
++ if (!(res = av_malloc(size + 1)))
+ return AVERROR(ENOMEM);
+- if (avio_read(pb, (uint8_t *) *str, size) != size) {
+- av_freep(str);
++ if (avio_read(pb, (uint8_t *) res, size) != size) {
++ av_free(res);
+ return AVERROR(EIO);
+ }
+- (*str)[size] = '\0';
++ (res)[size] = '\0';
++ av_free(*str);
++ *str = res;
+
+ return 0;
+ }
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0020-lavf-prevent-infinite-loops-while-flushing-in-avform.patch b/debian/patches/post-0.8/0020-lavf-prevent-infinite-loops-while-flushing-in-avform.patch
new file mode 100644
index 0000000..80f0a87
--- /dev/null
+++ b/debian/patches/post-0.8/0020-lavf-prevent-infinite-loops-while-flushing-in-avform.patch
@@ -0,0 +1,71 @@
+From d16653c3d437ff7843c111d9fffa3e8c3e186db7 Mon Sep 17 00:00:00 2001
+From: Janne Grunau <janne-libav at jannau.net>
+Date: Wed, 18 Jan 2012 10:59:32 +0100
+Subject: [PATCH 20/80] lavf: prevent infinite loops while flushing in
+ avformat_find_stream_info
+
+If no data was seen for a stream decoder are returning 0 when fed with
+empty packets for flushing. We can stop flushing when the decoder does
+not return delayed delayed frames anymore. Changes try_decode_frame()
+return value to got_picture or negative error.
+
+CC: libav-stable at libav.org
+(cherry picked from commit b3461c29c1aee7d62eeb02a59d46593c60362679)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libavformat/utils.c | 22 ++++++++++++++--------
+ 1 files changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/libavformat/utils.c b/libavformat/utils.c
+index f2d5502..e6b4f40 100644
+--- a/libavformat/utils.c
++++ b/libavformat/utils.c
+@@ -2130,6 +2130,7 @@ static int has_decode_delay_been_guessed(AVStream *st)
+ st->info->nb_decoded_frames >= 6;
+ }
+
++/* returns 1 or 0 if or if not decoded data was returned, or a negative error */
+ static int try_decode_frame(AVStream *st, AVPacket *avpkt, AVDictionary **options)
+ {
+ AVCodec *codec;
+@@ -2179,6 +2180,7 @@ static int try_decode_frame(AVStream *st, AVPacket *avpkt, AVDictionary **option
+ st->info->nb_decoded_frames++;
+ pkt.data += ret;
+ pkt.size -= ret;
++ ret = got_picture;
+ }
+ }
+ return ret;
+@@ -2403,16 +2405,20 @@ int avformat_find_stream_info(AVFormatContext *ic, AVDictionary **options)
+ st = ic->streams[i];
+
+ /* flush the decoders */
+- while ((err = try_decode_frame(st, &empty_pkt,
+- (options && i < orig_nb_streams) ?
+- &options[i] : NULL)) >= 0)
+- if (has_codec_parameters(st->codec))
+- break;
+-
+- if (!has_codec_parameters(st->codec)){
++ do {
++ err = try_decode_frame(st, &empty_pkt,
++ (options && i < orig_nb_streams) ?
++ &options[i] : NULL);
++ } while (err > 0 && !has_codec_parameters(st->codec));
++
++ if (err < 0) {
++ av_log(ic, AV_LOG_WARNING,
++ "decoding for stream %d failed\n", st->index);
++ } else if (!has_codec_parameters(st->codec)){
+ char buf[256];
+ avcodec_string(buf, sizeof(buf), st->codec, 0);
+- av_log(ic, AV_LOG_WARNING, "Could not find codec parameters (%s)\n", buf);
++ av_log(ic, AV_LOG_WARNING,
++ "Could not find codec parameters (%s)\n", buf);
+ } else {
+ ret = 0;
+ }
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0021-smacker-Sanity-check-huffman-tables-found-in-the-hea.patch b/debian/patches/post-0.8/0021-smacker-Sanity-check-huffman-tables-found-in-the-hea.patch
new file mode 100644
index 0000000..ab93796
--- /dev/null
+++ b/debian/patches/post-0.8/0021-smacker-Sanity-check-huffman-tables-found-in-the-hea.patch
@@ -0,0 +1,89 @@
+From 04597e25952d399a350062c1824587c230cdd5b4 Mon Sep 17 00:00:00 2001
+From: Alex Converse <alex.converse at gmail.com>
+Date: Wed, 25 Jan 2012 16:12:42 -0800
+Subject: [PATCH 21/80] smacker: Sanity check huffman tables found in the
+ headers.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+
+CC: libav-stable at libav.org
+(cherry picked from commit 9adf25c1cf78dbf1d71bf386c49dc74cb8a60df0)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libavcodec/smacker.c | 22 +++++++++++++---------
+ 1 files changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
+index 0c7c405..4714fa0 100644
+--- a/libavcodec/smacker.c
++++ b/libavcodec/smacker.c
+@@ -128,12 +128,12 @@ static int smacker_decode_tree(GetBitContext *gb, HuffContext *hc, uint32_t pref
+ */
+ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx)
+ {
++ if (hc->current + 1 >= hc->length) {
++ av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n");
++ return -1;
++ }
+ if(!get_bits1(gb)){ //Leaf
+ int val, i1, i2, b1, b2;
+- if(hc->current >= hc->length){
+- av_log(NULL, AV_LOG_ERROR, "Tree size exceeded!\n");
+- return -1;
+- }
+ b1 = get_bits_count(gb);
+ i1 = ctx->v1->table ? get_vlc2(gb, ctx->v1->table, SMKTREE_BITS, 3) : 0;
+ b1 = get_bits_count(gb) - b1;
+@@ -157,7 +157,7 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx
+ hc->values[hc->current++] = val;
+ return 1;
+ } else { //Node
+- int r = 0, t;
++ int r = 0, r_new, t;
+
+ t = hc->current++;
+ r = smacker_decode_bigtree(gb, hc, ctx);
+@@ -165,8 +165,10 @@ static int smacker_decode_bigtree(GetBitContext *gb, HuffContext *hc, DBCtx *ctx
+ return r;
+ hc->values[t] = SMK_NODE | r;
+ r++;
+- r += smacker_decode_bigtree(gb, hc, ctx);
+- return r;
++ r_new = smacker_decode_bigtree(gb, hc, ctx);
++ if (r_new < 0)
++ return r_new;
++ return r + r_new;
+ }
+ }
+
+@@ -181,6 +183,7 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int
+ VLC vlc[2];
+ int escapes[3];
+ DBCtx ctx;
++ int err = 0;
+
+ if(size >= UINT_MAX>>4){ // (((size + 3) >> 2) + 3) << 2 must not overflow
+ av_log(smk->avctx, AV_LOG_ERROR, "size too large\n");
+@@ -254,7 +257,8 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int
+ huff.current = 0;
+ huff.values = av_mallocz(huff.length * sizeof(int));
+
+- smacker_decode_bigtree(gb, &huff, &ctx);
++ if (smacker_decode_bigtree(gb, &huff, &ctx) < 0)
++ err = -1;
+ skip_bits1(gb);
+ if(ctx.last[0] == -1) ctx.last[0] = huff.current++;
+ if(ctx.last[1] == -1) ctx.last[1] = huff.current++;
+@@ -273,7 +277,7 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int
+ av_free(tmp2.lengths);
+ av_free(tmp2.values);
+
+- return 0;
++ return err;
+ }
+
+ static int decode_header_trees(SmackVContext *smk) {
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0022-vc1-prevent-null-pointer-dereference-on-broken-files.patch b/debian/patches/post-0.8/0022-vc1-prevent-null-pointer-dereference-on-broken-files.patch
new file mode 100644
index 0000000..c7b78ea
--- /dev/null
+++ b/debian/patches/post-0.8/0022-vc1-prevent-null-pointer-dereference-on-broken-files.patch
@@ -0,0 +1,29 @@
+From d19e3e19d67b50cb5614ead2e0f125678e1c257d Mon Sep 17 00:00:00 2001
+From: Janne Grunau <janne-libav at jannau.net>
+Date: Wed, 25 Jan 2012 15:49:54 +0100
+Subject: [PATCH 22/80] vc1: prevent null pointer dereference on broken files
+
+CC: libav-stable at libav.org
+(cherry picked from commit 510ef04a461b3b54a762c6141ad880cbed85981f)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libavcodec/vc1dec.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c
+index fa95273..0425a87 100644
+--- a/libavcodec/vc1dec.c
++++ b/libavcodec/vc1dec.c
+@@ -5708,7 +5708,7 @@ static int vc1_decode_frame(AVCodecContext *avctx, void *data,
+ if (!v->field_mode || v->second_field)
+ s->end_mb_y = (i == n_slices ) ? mb_height : FFMIN(mb_height, slices[i].mby_start % mb_height);
+ else
+- s->end_mb_y = (i == n_slices1 + 1) ? mb_height : FFMIN(mb_height, slices[i].mby_start % mb_height);
++ s->end_mb_y = (i <= n_slices1 + 1) ? mb_height : FFMIN(mb_height, slices[i].mby_start % mb_height);
+ vc1_decode_blocks(v);
+ if (i != n_slices)
+ s->gb = slices[i].gb;
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0023-tta-error-out-if-samplerate-is-zero.patch b/debian/patches/post-0.8/0023-tta-error-out-if-samplerate-is-zero.patch
new file mode 100644
index 0000000..0444a23
--- /dev/null
+++ b/debian/patches/post-0.8/0023-tta-error-out-if-samplerate-is-zero.patch
@@ -0,0 +1,33 @@
+From 7046ae55932f8fae83269871847cea9fd84c23f5 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Fri, 10 Feb 2012 10:51:43 -0800
+Subject: [PATCH 23/80] tta: error out if samplerate is zero.
+
+Prevents a division by zero later on.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 7416d610362807848236ceff1bc6740dbc82842d)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libavcodec/tta.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/tta.c b/libavcodec/tta.c
+index 4656ce1..c8daff2 100644
+--- a/libavcodec/tta.c
++++ b/libavcodec/tta.c
+@@ -224,6 +224,9 @@ static av_cold int tta_decode_init(AVCodecContext * avctx)
+ if (s->channels == 0) {
+ av_log(s->avctx, AV_LOG_ERROR, "Invalid number of channels\n");
+ return AVERROR_INVALIDDATA;
++ } else if (avctx->sample_rate == 0) {
++ av_log(s->avctx, AV_LOG_ERROR, "Invalid samplerate\n");
++ return AVERROR_INVALIDDATA;
+ }
+
+ switch(s->bps) {
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0024-swscale-enforce-a-minimum-filtersize.patch b/debian/patches/post-0.8/0024-swscale-enforce-a-minimum-filtersize.patch
new file mode 100644
index 0000000..4e33d9b
--- /dev/null
+++ b/debian/patches/post-0.8/0024-swscale-enforce-a-minimum-filtersize.patch
@@ -0,0 +1,36 @@
+From b68470707bf2e010136c6debd25051afdf198466 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Sat, 11 Feb 2012 08:42:28 -0800
+Subject: [PATCH 24/80] swscale: enforce a minimum filtersize.
+
+At very small dimensions, this calculation could lead to zero-sized
+filters, which leads to uninitialized output, zero-sized allocations,
+loop overflows in SIMD that uses do{..}while(i++<filtersize); instead
+of for(i=0;i<filtersize;i++){..} and several other similar failures.
+Therefore, require a minimum filtersize of 1.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit dae2ce361a2b5fd9be1d43e5e8c00bdbc5f03e3d)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libswscale/utils.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/libswscale/utils.c b/libswscale/utils.c
+index b49f924..9d72196 100644
+--- a/libswscale/utils.c
++++ b/libswscale/utils.c
+@@ -263,7 +263,7 @@ static int initFilter(int16_t **outFilter, int16_t **filterPos, int *outFilterSi
+ if (xInc <= 1<<16) filterSize= 1 + sizeFactor; // upscale
+ else filterSize= 1 + (sizeFactor*srcW + dstW - 1)/ dstW;
+
+- if (filterSize > srcW-2) filterSize=srcW-2;
++ filterSize = av_clip(filterSize, 1, srcW - 2);
+
+ FF_ALLOC_OR_GOTO(NULL, filter, dstW*sizeof(*filter)*filterSize, fail);
+
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0025-swscale-fix-overflows-in-filterPos-calculation-for-l.patch b/debian/patches/post-0.8/0025-swscale-fix-overflows-in-filterPos-calculation-for-l.patch
new file mode 100644
index 0000000..5c4d108
--- /dev/null
+++ b/debian/patches/post-0.8/0025-swscale-fix-overflows-in-filterPos-calculation-for-l.patch
@@ -0,0 +1,64 @@
+From cd9bdc639588067732b53bb47a01f7b9b902b9ef Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Wed, 22 Feb 2012 16:46:31 -0800
+Subject: [PATCH 25/80] swscale: fix overflows in filterPos[] calculation for
+ large sizes.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 19a65b5be47944c607a9e979edb098924d95f2e4)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libswscale/utils.c | 14 +++++++-------
+ 1 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/libswscale/utils.c b/libswscale/utils.c
+index 9d72196..2d7029e 100644
+--- a/libswscale/utils.c
++++ b/libswscale/utils.c
+@@ -244,7 +244,7 @@ static int initFilter(int16_t **outFilter, int16_t **filterPos, int *outFilterSi
+ xDstInSrc+= xInc;
+ }
+ } else {
+- int xDstInSrc;
++ int64_t xDstInSrc;
+ int sizeFactor;
+
+ if (flags&SWS_BICUBIC) sizeFactor= 4;
+@@ -809,8 +809,8 @@ int sws_init_context(SwsContext *c, SwsFilter *srcFilter, SwsFilter *dstFilter)
+ if (!dstFilter) dstFilter= &dummyFilter;
+ if (!srcFilter) srcFilter= &dummyFilter;
+
+- c->lumXInc= ((srcW<<16) + (dstW>>1))/dstW;
+- c->lumYInc= ((srcH<<16) + (dstH>>1))/dstH;
++ c->lumXInc= (((int64_t)srcW<<16) + (dstW>>1))/dstW;
++ c->lumYInc= (((int64_t)srcH<<16) + (dstH>>1))/dstH;
+ c->dstFormatBpp = av_get_bits_per_pixel(&av_pix_fmt_descriptors[dstFormat]);
+ c->srcFormatBpp = av_get_bits_per_pixel(&av_pix_fmt_descriptors[srcFormat]);
+ c->vRounder= 4* 0x0001000100010001ULL;
+@@ -896,8 +896,8 @@ int sws_init_context(SwsContext *c, SwsFilter *srcFilter, SwsFilter *dstFilter)
+ else
+ c->canMMX2BeUsed=0;
+
+- c->chrXInc= ((c->chrSrcW<<16) + (c->chrDstW>>1))/c->chrDstW;
+- c->chrYInc= ((c->chrSrcH<<16) + (c->chrDstH>>1))/c->chrDstH;
++ c->chrXInc= (((int64_t)c->chrSrcW<<16) + (c->chrDstW>>1))/c->chrDstW;
++ c->chrYInc= (((int64_t)c->chrSrcH<<16) + (c->chrDstH>>1))/c->chrDstH;
+
+ // match pixel 0 of the src to pixel 0 of dst and match pixel n-2 of src to pixel n-2 of dst
+ // but only for the FAST_BILINEAR mode otherwise do correct scaling
+@@ -912,8 +912,8 @@ int sws_init_context(SwsContext *c, SwsFilter *srcFilter, SwsFilter *dstFilter)
+ }
+ //we don't use the x86 asm scaler if MMX is available
+ else if (HAVE_MMX && cpu_flags & AV_CPU_FLAG_MMX) {
+- c->lumXInc = ((srcW-2)<<16)/(dstW-2) - 20;
+- c->chrXInc = ((c->chrSrcW-2)<<16)/(c->chrDstW-2) - 20;
++ c->lumXInc = ((int64_t)(srcW-2)<<16)/(dstW-2) - 20;
++ c->chrXInc = ((int64_t)(c->chrSrcW-2)<<16)/(c->chrDstW-2) - 20;
+ }
+ }
+
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0026-swscale-take-first-lastline-over-underflows-into-acc.patch b/debian/patches/post-0.8/0026-swscale-take-first-lastline-over-underflows-into-acc.patch
new file mode 100644
index 0000000..ebe9aee
--- /dev/null
+++ b/debian/patches/post-0.8/0026-swscale-take-first-lastline-over-underflows-into-acc.patch
@@ -0,0 +1,69 @@
+From 0c60d5c59fe05de80fc45e097c61b6f5487431de Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Wed, 22 Feb 2012 16:48:38 -0800
+Subject: [PATCH 26/80] swscale: take first/lastline over/underflows into
+ account for MMX.
+
+Fixes crashes for extremely large resizes (several 100-fold).
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 1d8c4af396b6ed84c84b5ebf0bf1163c4a7a3017)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libswscale/x86/swscale_mmx.c | 38 ++++++++++++++++++++++++++++++++++++++
+ 1 files changed, 38 insertions(+), 0 deletions(-)
+
+diff --git a/libswscale/x86/swscale_mmx.c b/libswscale/x86/swscale_mmx.c
+index 867a9f1..0853e12 100644
+--- a/libswscale/x86/swscale_mmx.c
++++ b/libswscale/x86/swscale_mmx.c
+@@ -132,6 +132,44 @@ void updateMMXDitherTables(SwsContext *c, int dstY, int lumBufIndex, int chrBufI
+ const int16_t **chrUSrcPtr= (const int16_t **) chrUPixBuf + chrBufIndex + firstChrSrcY - lastInChrBuf + vChrBufSize;
+ const int16_t **alpSrcPtr= (CONFIG_SWSCALE_ALPHA && alpPixBuf) ? (const int16_t **) alpPixBuf + lumBufIndex + firstLumSrcY - lastInLumBuf + vLumBufSize : NULL;
+ int i;
++
++ if (firstLumSrcY < 0 || firstLumSrcY + vLumFilterSize > c->srcH) {
++ const int16_t **tmpY = (const int16_t **) lumPixBuf + 2 * vLumBufSize;
++ int neg = -firstLumSrcY, i, end = FFMIN(c->srcH - firstLumSrcY, vLumFilterSize);
++ for (i = 0; i < neg; i++)
++ tmpY[i] = lumSrcPtr[neg];
++ for ( ; i < end; i++)
++ tmpY[i] = lumSrcPtr[i];
++ for ( ; i < vLumFilterSize; i++)
++ tmpY[i] = tmpY[i-1];
++ lumSrcPtr = tmpY;
++
++ if (alpSrcPtr) {
++ const int16_t **tmpA = (const int16_t **) alpPixBuf + 2 * vLumBufSize;
++ for (i = 0; i < neg; i++)
++ tmpA[i] = alpSrcPtr[neg];
++ for ( ; i < end; i++)
++ tmpA[i] = alpSrcPtr[i];
++ for ( ; i < vLumFilterSize; i++)
++ tmpA[i] = tmpA[i - 1];
++ alpSrcPtr = tmpA;
++ }
++ }
++ if (firstChrSrcY < 0 || firstChrSrcY + vChrFilterSize > c->chrSrcH) {
++ const int16_t **tmpU = (const int16_t **) chrUPixBuf + 2 * vChrBufSize;
++ int neg = -firstChrSrcY, i, end = FFMIN(c->chrSrcH - firstChrSrcY, vChrFilterSize);
++ for (i = 0; i < neg; i++) {
++ tmpU[i] = chrUSrcPtr[neg];
++ }
++ for ( ; i < end; i++) {
++ tmpU[i] = chrUSrcPtr[i];
++ }
++ for ( ; i < vChrFilterSize; i++) {
++ tmpU[i] = tmpU[i - 1];
++ }
++ chrUSrcPtr = tmpU;
++ }
++
+ if (flags & SWS_ACCURATE_RND) {
+ int s= APCK_SIZE / 8;
+ for (i=0; i<vLumFilterSize; i+=2) {
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0027-vc1-prevent-using-last_frame-as-a-reference-for-I-P-.patch b/debian/patches/post-0.8/0027-vc1-prevent-using-last_frame-as-a-reference-for-I-P-.patch
new file mode 100644
index 0000000..7a07464
--- /dev/null
+++ b/debian/patches/post-0.8/0027-vc1-prevent-using-last_frame-as-a-reference-for-I-P-.patch
@@ -0,0 +1,54 @@
+From 5bcd47cf63cb719e1c650d08cdfb7f4ede351367 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Tue, 14 Feb 2012 12:40:19 -0800
+Subject: [PATCH 27/80] vc1: prevent using last_frame as a reference for I/P
+ first frame.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit ae591aeea58d64399b8281be31dacec0de85ae04)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libavcodec/vc1dec.c | 11 +++++++++--
+ 1 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c
+index 0425a87..3869d92 100644
+--- a/libavcodec/vc1dec.c
++++ b/libavcodec/vc1dec.c
+@@ -478,7 +478,10 @@ static void vc1_mc_1mv(VC1Context *v, int dir)
+ int dxy, mx, my, uvmx, uvmy, src_x, src_y, uvsrc_x, uvsrc_y;
+ int off, off_uv;
+ int v_edge_pos = s->v_edge_pos >> v->field_mode;
+- if (!v->field_mode && !v->s.last_picture.f.data[0])
++
++ if ((!v->field_mode ||
++ (v->ref_field_type[dir] == 1 && v->cur_field_type == 1)) &&
++ !v->s.last_picture.f.data[0])
+ return;
+
+ mx = s->mv[dir][0][0];
+@@ -690,7 +693,9 @@ static void vc1_mc_4mv_luma(VC1Context *v, int n, int dir)
+ int fieldmv = (v->fcm == ILACE_FRAME) ? v->blk_mv_type[s->block_index[n]] : 0;
+ int v_edge_pos = s->v_edge_pos >> v->field_mode;
+
+- if (!v->field_mode && !v->s.last_picture.f.data[0])
++ if ((!v->field_mode ||
++ (v->ref_field_type[dir] == 1 && v->cur_field_type == 1)) &&
++ !v->s.last_picture.f.data[0])
+ return;
+
+ mx = s->mv[dir][n][0];
+@@ -946,6 +951,8 @@ static void vc1_mc_4mv_chroma(VC1Context *v, int dir)
+ if (dominant)
+ chroma_ref_type = !v->cur_field_type;
+ }
++ if (v->field_mode && chroma_ref_type == 1 && v->cur_field_type == 1 && !v->s.last_picture.f.data[0])
++ return;
+ s->current_picture.f.motion_val[1][s->block_index[0] + v->blocks_off][0] = tx;
+ s->current_picture.f.motion_val[1][s->block_index[0] + v->blocks_off][1] = ty;
+ uvmx = (tx + ((tx & 3) == 3)) >> 1;
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0028-cook-prevent-div-by-zero-if-channels-is-zero.patch b/debian/patches/post-0.8/0028-cook-prevent-div-by-zero-if-channels-is-zero.patch
new file mode 100644
index 0000000..e2c6cb6
--- /dev/null
+++ b/debian/patches/post-0.8/0028-cook-prevent-div-by-zero-if-channels-is-zero.patch
@@ -0,0 +1,32 @@
+From cfd7d166e2ae68302329c059afa7c4778a70e9b5 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Fri, 17 Feb 2012 12:10:33 -0800
+Subject: [PATCH 28/80] cook: prevent div-by-zero if channels is zero.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 941fc1ea1ed7f7d99a8b9e2607b41f2f2820394a)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libavcodec/cook.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/cook.c b/libavcodec/cook.c
+index d2ed819..dc4c2ab 100644
+--- a/libavcodec/cook.c
++++ b/libavcodec/cook.c
+@@ -1078,6 +1078,10 @@ static av_cold int cook_decode_init(AVCodecContext *avctx)
+ q->sample_rate = avctx->sample_rate;
+ q->nb_channels = avctx->channels;
+ q->bit_rate = avctx->bit_rate;
++ if (!q->nb_channels) {
++ av_log(avctx, AV_LOG_ERROR, "Invalid number of channels\n");
++ return AVERROR_INVALIDDATA;
++ }
+
+ /* Initialize RNG. */
+ av_lfg_init(&q->random_state, 0);
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0029-als-prevent-infinite-loop-in-zero_remaining.patch b/debian/patches/post-0.8/0029-als-prevent-infinite-loop-in-zero_remaining.patch
new file mode 100644
index 0000000..1968a6d
--- /dev/null
+++ b/debian/patches/post-0.8/0029-als-prevent-infinite-loop-in-zero_remaining.patch
@@ -0,0 +1,30 @@
+From 5ab9294a8db5b3a796871e403b1a779a413a494c Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Fri, 17 Feb 2012 12:28:26 -0800
+Subject: [PATCH 29/80] als: prevent infinite loop in zero_remaining().
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit af468015d972c0dec5c8c37b2685ffa5cbe4ae87)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libavcodec/alsdec.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
+index dc4961c..26496bf 100644
+--- a/libavcodec/alsdec.c
++++ b/libavcodec/alsdec.c
+@@ -1011,7 +1011,7 @@ static void zero_remaining(unsigned int b, unsigned int b_max,
+ {
+ unsigned int count = 0;
+
+- while (b < b_max)
++ for (; b < b_max; b++)
+ count += div_blocks[b];
+
+ if (count)
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0030-huffyuv-error-out-on-bit-overrun.patch b/debian/patches/post-0.8/0030-huffyuv-error-out-on-bit-overrun.patch
new file mode 100644
index 0000000..8eb1ecb
--- /dev/null
+++ b/debian/patches/post-0.8/0030-huffyuv-error-out-on-bit-overrun.patch
@@ -0,0 +1,33 @@
+From 27558bd87e7e67b83ddefb9176f1729c2291c7a0 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Fri, 17 Feb 2012 15:00:47 -0800
+Subject: [PATCH 30/80] huffyuv: error out on bit overrun.
+
+On EOF, get_bits() will continuously return 0, causing an infinite
+loop.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 84c202cc37024bd78261e4222e46631ea73c48dd)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libavcodec/huffyuv.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c
+index 57b5f32..efa87de 100644
+--- a/libavcodec/huffyuv.c
++++ b/libavcodec/huffyuv.c
+@@ -184,7 +184,7 @@ static int read_len_table(uint8_t *dst, GetBitContext *gb){
+ if(repeat==0)
+ repeat= get_bits(gb, 8);
+ //printf("%d %d\n", val, repeat);
+- if(i+repeat > 256) {
++ if(i+repeat > 256 || get_bits_left(gb) < 0) {
+ av_log(NULL, AV_LOG_ERROR, "Error reading huffman table\n");
+ return -1;
+ }
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0031-mp3on4-require-a-minimum-framesize.patch b/debian/patches/post-0.8/0031-mp3on4-require-a-minimum-framesize.patch
new file mode 100644
index 0000000..7f74ef7
--- /dev/null
+++ b/debian/patches/post-0.8/0031-mp3on4-require-a-minimum-framesize.patch
@@ -0,0 +1,36 @@
+From 95a9d44dc3121a93c68087dddd7b9b49d34bf930 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Fri, 17 Feb 2012 15:20:27 -0800
+Subject: [PATCH 31/80] mp3on4: require a minimum framesize.
+
+If bufsize < headersize, init_get_bits() will be called with a negative
+number, causing it to fail and any subsequent call to get_bits() will
+crash because it reads from a NULL pointer.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 3e13005cac6e076053276b515f5fcf59a3f4b65d)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libavcodec/mpegaudiodec.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c
+index a83b162..860c0c3 100644
+--- a/libavcodec/mpegaudiodec.c
++++ b/libavcodec/mpegaudiodec.c
+@@ -1921,6 +1921,10 @@ static int decode_frame_mp3on4(AVCodecContext *avctx, void *data,
+ m = s->mp3decctx[fr];
+ assert(m != NULL);
+
++ if (fsize < HEADER_SIZE) {
++ av_log(avctx, AV_LOG_ERROR, "Frame size smaller than header size\n");
++ return AVERROR_INVALIDDATA;
++ }
+ header = (AV_RB32(buf) & 0x000fffff) | s->syncword; // patch header
+
+ if (ff_mpa_check_header(header) < 0) // Bad header, discard block
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0032-aiff-don-t-skip-block_align-0-check-on-COMM-after-SS.patch b/debian/patches/post-0.8/0032-aiff-don-t-skip-block_align-0-check-on-COMM-after-SS.patch
new file mode 100644
index 0000000..975842d
--- /dev/null
+++ b/debian/patches/post-0.8/0032-aiff-don-t-skip-block_align-0-check-on-COMM-after-SS.patch
@@ -0,0 +1,39 @@
+From 5c365dc9792a6a91637498e2ee1fdcb90c9c7640 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Fri, 17 Feb 2012 15:51:27 -0800
+Subject: [PATCH 32/80] aiff: don't skip block_align==0 check on
+ COMM-after-SSND files.
+
+This prevents SIGFPEs when using block_align for divisions.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 32a659c758bf2ddd8ad48f18c06fa77444341286)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libavformat/aiffdec.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libavformat/aiffdec.c b/libavformat/aiffdec.c
+index 0e69d02..88e1e68 100644
+--- a/libavformat/aiffdec.c
++++ b/libavformat/aiffdec.c
+@@ -264,12 +264,12 @@ static int aiff_read_header(AVFormatContext *s,
+ }
+ }
+
++got_sound:
+ if (!st->codec->block_align) {
+- av_log(s, AV_LOG_ERROR, "could not find COMM tag\n");
++ av_log(s, AV_LOG_ERROR, "could not find COMM tag or invalid block_align value\n");
+ return -1;
+ }
+
+-got_sound:
+ /* Now positioned, get the sound data start and end */
+ avpriv_set_pts_info(st, 64, 1, st->codec->sample_rate);
+ st->start_time = 0;
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0033-asf-prevent-packet_size_left-from-going-negative-if-.patch b/debian/patches/post-0.8/0033-asf-prevent-packet_size_left-from-going-negative-if-.patch
new file mode 100644
index 0000000..5dca8c5
--- /dev/null
+++ b/debian/patches/post-0.8/0033-asf-prevent-packet_size_left-from-going-negative-if-.patch
@@ -0,0 +1,39 @@
+From f947e965beb858b67ab6e49f9e24e8d12d9b5a7d Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Fri, 17 Feb 2012 12:21:18 -0800
+Subject: [PATCH 33/80] asf: prevent packet_size_left from going negative if
+ hdrlen > pktlen.
+
+This prevents failed assertions further down in the packet processing
+where we require non-negative values for packet_size_left.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 41afac7f7a67c634c86b1d17fc930e9183d4aaa0)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libavformat/asfdec.c | 7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c
+index 91d285e..eb93f14 100644
+--- a/libavformat/asfdec.c
++++ b/libavformat/asfdec.c
+@@ -789,6 +789,13 @@ static int ff_asf_get_packet(AVFormatContext *s, AVIOContext *pb)
+ asf->packet_segments = 1;
+ asf->packet_segsizetype = 0x80;
+ }
++ if (rsize > packet_length - padsize) {
++ asf->packet_size_left = 0;
++ av_log(s, AV_LOG_ERROR,
++ "invalid packet header length %d for pktlen %d-%d at %"PRId64"\n",
++ rsize, packet_length, padsize, avio_tell(pb));
++ return -1;
++ }
+ asf->packet_size_left = packet_length - padsize - rsize;
+ if (packet_length < asf->hdr.min_pktsize)
+ padsize += asf->hdr.min_pktsize - packet_length;
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0034-mjpegb-don-t-return-0-at-the-end-of-frame-decoding.patch b/debian/patches/post-0.8/0034-mjpegb-don-t-return-0-at-the-end-of-frame-decoding.patch
new file mode 100644
index 0000000..ad11022
--- /dev/null
+++ b/debian/patches/post-0.8/0034-mjpegb-don-t-return-0-at-the-end-of-frame-decoding.patch
@@ -0,0 +1,43 @@
+From bba43a1ea07392f14c508aeff2ee13a4cfc425b5 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Fri, 17 Feb 2012 16:27:36 -0800
+Subject: [PATCH 34/80] mjpegb: don't return 0 at the end of frame decoding.
+
+Return 0 indicates "please return the same data again", i.e. it causes
+an infinite loop. Instead, return that we consumed the buffer if we
+finished decoding succesfully, or return an error if an error occurred.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 74699ac8c8b562e9f8d26e21482b89585365774a)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libavcodec/mjpegbdec.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/mjpegbdec.c b/libavcodec/mjpegbdec.c
+index 4ad17ab..9f71f50 100644
+--- a/libavcodec/mjpegbdec.c
++++ b/libavcodec/mjpegbdec.c
+@@ -66,7 +66,7 @@ read_header:
+ if (get_bits_long(&hgb, 32) != MKBETAG('m','j','p','g'))
+ {
+ av_log(avctx, AV_LOG_WARNING, "not mjpeg-b (bad fourcc)\n");
+- return 0;
++ return AVERROR_INVALIDDATA;
+ }
+
+ field_size = get_bits_long(&hgb, 32); /* field size */
+@@ -146,7 +146,7 @@ read_header:
+ picture->quality*= FF_QP2LAMBDA;
+ }
+
+- return buf_ptr - buf;
++ return buf_size;
+ }
+
+ AVCodec ff_mjpegb_decoder = {
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0035-wma-don-t-return-0-on-invalid-packets.patch b/debian/patches/post-0.8/0035-wma-don-t-return-0-on-invalid-packets.patch
new file mode 100644
index 0000000..c6eea37
--- /dev/null
+++ b/debian/patches/post-0.8/0035-wma-don-t-return-0-on-invalid-packets.patch
@@ -0,0 +1,39 @@
+From fe710f2074a711b5b07b76fe9ecf11b4068b32ef Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Fri, 17 Feb 2012 16:57:00 -0800
+Subject: [PATCH 35/80] wma: don't return 0 on invalid packets.
+
+Return 0 means "please return the same data again", i.e. it causes an
+infinite loop. Instead, return an error.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 9d3050d3e95e307ebc34a943484c7add838d1220)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libavcodec/wmadec.c | 8 ++++++--
+ 1 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c
+index 5600f9b..afc0658 100644
+--- a/libavcodec/wmadec.c
++++ b/libavcodec/wmadec.c
+@@ -817,8 +817,12 @@ static int wma_decode_superframe(AVCodecContext *avctx, void *data,
+ s->last_superframe_len = 0;
+ return 0;
+ }
+- if (buf_size < s->block_align)
+- return 0;
++ if (buf_size < s->block_align) {
++ av_log(avctx, AV_LOG_ERROR,
++ "Input packet size too small (%d < %d)\n",
++ buf_size, s->block_align);
++ return AVERROR_INVALIDDATA;
++ }
+ buf_size = s->block_align;
+
+ init_get_bits(&s->gb, buf, buf_size*8);
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0036-vc1parse-call-vc1_init_common.patch b/debian/patches/post-0.8/0036-vc1parse-call-vc1_init_common.patch
new file mode 100644
index 0000000..c3a1b03
--- /dev/null
+++ b/debian/patches/post-0.8/0036-vc1parse-call-vc1_init_common.patch
@@ -0,0 +1,72 @@
+From 8011a29fa8875aa4de54199bdfcd4e5331d532dd Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Fri, 17 Feb 2012 14:18:22 -0800
+Subject: [PATCH 36/80] vc1parse: call vc1_init_common().
+
+The parser uses VLC tables initialized in vc1_common_init(), therefore
+we should call this function on parser init also.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit c742ab4e81bb9dcabfdab006d6b8b09a5808c4ce)
+
+Conflicts:
+
+ libavcodec/vc1.h
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libavcodec/vc1.h | 1 +
+ libavcodec/vc1_parser.c | 2 +-
+ libavcodec/vc1dec.c | 4 ++--
+ 3 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/libavcodec/vc1.h b/libavcodec/vc1.h
+index 6096077..5ce0cb5 100644
+--- a/libavcodec/vc1.h
++++ b/libavcodec/vc1.h
+@@ -447,5 +447,6 @@ int vc1_decode_entry_point(AVCodecContext *avctx, VC1Context *v, GetBitContext *
+
+ int vc1_parse_frame_header (VC1Context *v, GetBitContext *gb);
+ int vc1_parse_frame_header_adv(VC1Context *v, GetBitContext *gb);
++int ff_vc1_init_common(VC1Context *v);
+
+ #endif /* AVCODEC_VC1_H */
+diff --git a/libavcodec/vc1_parser.c b/libavcodec/vc1_parser.c
+index 0cc5ea0..cdea0d7 100644
+--- a/libavcodec/vc1_parser.c
++++ b/libavcodec/vc1_parser.c
+@@ -188,7 +188,7 @@ static int vc1_parse_init(AVCodecParserContext *s)
+ {
+ VC1ParseContext *vpc = s->priv_data;
+ vpc->v.s.slice_context_count = 1;
+- return 0;
++ return ff_vc1_init_common(&vpc->v);
+ }
+
+ AVCodecParser ff_vc1_parser = {
+diff --git a/libavcodec/vc1dec.c b/libavcodec/vc1dec.c
+index 3869d92..3e84464 100644
+--- a/libavcodec/vc1dec.c
++++ b/libavcodec/vc1dec.c
+@@ -67,7 +67,7 @@ static const int offset_table2[9] = { 0, 1, 3, 7, 15, 31, 63, 127, 255 };
+ * @param v The VC1Context to initialize
+ * @return Status
+ */
+-static int vc1_init_common(VC1Context *v)
++int ff_vc1_init_common(VC1Context *v)
+ {
+ static int done = 0;
+ int i = 0;
+@@ -5273,7 +5273,7 @@ static av_cold int vc1_decode_init(AVCodecContext *avctx)
+ avctx->idct_algo = FF_IDCT_WMV2;
+ }
+
+- if (vc1_init_common(v) < 0)
++ if (ff_vc1_init_common(v) < 0)
+ return -1;
+ ff_vc1dsp_init(&v->vc1dsp);
+
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0037-avplay-fix-threads-option.patch b/debian/patches/post-0.8/0037-avplay-fix-threads-option.patch
new file mode 100644
index 0000000..04691da
--- /dev/null
+++ b/debian/patches/post-0.8/0037-avplay-fix-threads-option.patch
@@ -0,0 +1,64 @@
+From 62beae313a4f91e8ff4e8dc0b2ec78baaa804b32 Mon Sep 17 00:00:00 2001
+From: Janne Grunau <janne-libav at jannau.net>
+Date: Tue, 21 Feb 2012 16:34:08 +0100
+Subject: [PATCH 37/80] avplay: fix -threads option
+
+The AVOptions based default to threads auto in 2473a45c8
+works only if avplay does not use custom option handling
+for -threads.
+
+CC: <libav-stable at libav.org>
+(cherry picked from commit e48a70e6da02cd5426b6340af70410bdfe27dfa7)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ avplay.c | 12 ------------
+ 1 files changed, 0 insertions(+), 12 deletions(-)
+
+diff --git a/avplay.c b/avplay.c
+index 432afc1..57fb864 100644
+--- a/avplay.c
++++ b/avplay.c
+@@ -242,7 +242,6 @@ static int64_t duration = AV_NOPTS_VALUE;
+ static int debug = 0;
+ static int debug_mv = 0;
+ static int step = 0;
+-static int thread_count = 1;
+ static int workaround_bugs = 1;
+ static int fast = 0;
+ static int genpts = 0;
+@@ -2189,7 +2188,6 @@ static int stream_component_open(VideoState *is, int stream_index)
+ avctx->skip_loop_filter = skip_loop_filter;
+ avctx->error_recognition = error_recognition;
+ avctx->error_concealment = error_concealment;
+- avctx->thread_count = thread_count;
+
+ if (lowres) avctx->flags |= CODEC_FLAG_EMU_EDGE;
+ if (fast) avctx->flags2 |= CODEC_FLAG2_FAST;
+@@ -2954,15 +2952,6 @@ static int opt_vismv(const char *opt, const char *arg)
+ return 0;
+ }
+
+-static int opt_thread_count(const char *opt, const char *arg)
+-{
+- thread_count = parse_number_or_die(opt, arg, OPT_INT64, 0, INT_MAX);
+-#if !HAVE_THREADS
+- fprintf(stderr, "Warning: not compiled with thread support, using thread emulation\n");
+-#endif
+- return 0;
+-}
+-
+ static const OptionDef options[] = {
+ #include "cmdutils_common_opts.h"
+ { "x", HAS_ARG, { (void*)opt_width }, "force displayed width", "width" },
+@@ -2995,7 +2984,6 @@ static const OptionDef options[] = {
+ { "er", OPT_INT | HAS_ARG | OPT_EXPERT, { (void*)&error_recognition }, "set error detection threshold (0-4)", "threshold" },
+ { "ec", OPT_INT | HAS_ARG | OPT_EXPERT, { (void*)&error_concealment }, "set error concealment options", "bit_mask" },
+ { "sync", HAS_ARG | OPT_EXPERT, { (void*)opt_sync }, "set audio-video sync. type (type=audio/video/ext)", "type" },
+- { "threads", HAS_ARG | OPT_EXPERT, { (void*)opt_thread_count }, "thread count", "count" },
+ { "autoexit", OPT_BOOL | OPT_EXPERT, { (void*)&autoexit }, "exit at the end", "" },
+ { "exitonkeydown", OPT_BOOL | OPT_EXPERT, { (void*)&exit_on_keydown }, "exit on key down", "" },
+ { "exitonmousedown", OPT_BOOL | OPT_EXPERT, { (void*)&exit_on_mousedown }, "exit on mouse down", "" },
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0038-rmdec-when-using-INT4-deinterleaving-error-out-if-su.patch b/debian/patches/post-0.8/0038-rmdec-when-using-INT4-deinterleaving-error-out-if-su.patch
new file mode 100644
index 0000000..449cc58
--- /dev/null
+++ b/debian/patches/post-0.8/0038-rmdec-when-using-INT4-deinterleaving-error-out-if-su.patch
@@ -0,0 +1,34 @@
+From 0312969b9ea7fa7027bca665bfded88690c4caa0 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Tue, 21 Feb 2012 10:36:27 -0800
+Subject: [PATCH 38/80] rmdec: when using INT4 deinterleaving, error out if
+ sub_packet_h <= 1.
+
+We read sub_packet_h / 2 packets per line of data (during deinterleaving),
+which equals zero if sub_packet_h <= 1, thus causing us to not read any
+data, leading to an infinite loop.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit e30b3e59a4f3004337cb1623b2aac988ce52b93f)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libavformat/rmdec.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c
+index 75e4833..3d92253 100644
+--- a/libavformat/rmdec.c
++++ b/libavformat/rmdec.c
+@@ -265,6 +265,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb,
+ switch (ast->deint_id) {
+ case DEINT_ID_INT4:
+ if (ast->coded_framesize > ast->audio_framesize ||
++ sub_packet_h <= 1 ||
+ ast->coded_framesize * sub_packet_h > (2 + (sub_packet_h & 1)) * ast->audio_framesize)
+ return AVERROR_INVALIDDATA;
+ break;
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0039-truemotion2-error-out-if-the-huffman-tree-has-no-nod.patch b/debian/patches/post-0.8/0039-truemotion2-error-out-if-the-huffman-tree-has-no-nod.patch
new file mode 100644
index 0000000..2becd0d
--- /dev/null
+++ b/debian/patches/post-0.8/0039-truemotion2-error-out-if-the-huffman-tree-has-no-nod.patch
@@ -0,0 +1,34 @@
+From 8e3dc37bc01950915dcdab473fc2694fc3670a54 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Wed, 22 Feb 2012 12:19:52 -0800
+Subject: [PATCH 39/80] truemotion2: error out if the huffman tree has no
+ nodes.
+
+This prevents crashers and errors further down when reading nodes in the
+empty tree.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 2b83e8b7005d531bc78b0fd4f699e9faa54ce9bb)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libavcodec/truemotion2.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/libavcodec/truemotion2.c b/libavcodec/truemotion2.c
+index 4045342..29d2e4d 100644
+--- a/libavcodec/truemotion2.c
++++ b/libavcodec/truemotion2.c
+@@ -132,7 +132,7 @@ static int tm2_build_huff_table(TM2Context *ctx, TM2Codes *code)
+ huff.val_bits, huff.max_bits);
+ return -1;
+ }
+- if((huff.nodes < 0) || (huff.nodes > 0x10000)) {
++ if((huff.nodes <= 0) || (huff.nodes > 0x10000)) {
+ av_log(ctx->avctx, AV_LOG_ERROR, "Incorrect number of Huffman tree nodes: %i\n", huff.nodes);
+ return -1;
+ }
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0040-swf-check-return-values-for-av_get-new_packet.patch b/debian/patches/post-0.8/0040-swf-check-return-values-for-av_get-new_packet.patch
new file mode 100644
index 0000000..f9ac52f
--- /dev/null
+++ b/debian/patches/post-0.8/0040-swf-check-return-values-for-av_get-new_packet.patch
@@ -0,0 +1,66 @@
+From 4f48417fe768a2d0d1852489463530a9a889fe76 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Thu, 23 Feb 2012 11:53:27 -0800
+Subject: [PATCH 40/80] swf: check return values for av_get/new_packet().
+
+Prevents crashers when using the packet if allocation failed.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 31632e73f47d25e2077fce729571259ee6354854)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libavformat/swfdec.c | 14 +++++++++-----
+ 1 files changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/libavformat/swfdec.c b/libavformat/swfdec.c
+index 1fc301b..6966176 100644
+--- a/libavformat/swfdec.c
++++ b/libavformat/swfdec.c
+@@ -84,7 +84,7 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt)
+ SWFContext *swf = s->priv_data;
+ AVIOContext *pb = s->pb;
+ AVStream *vst = NULL, *ast = NULL, *st = 0;
+- int tag, len, i, frame, v;
++ int tag, len, i, frame, v, res;
+
+ for(;;) {
+ uint64_t pos = avio_tell(pb);
+@@ -150,7 +150,8 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt)
+ st = s->streams[i];
+ if (st->codec->codec_type == AVMEDIA_TYPE_VIDEO && st->id == ch_id) {
+ frame = avio_rl16(pb);
+- av_get_packet(pb, pkt, len-2);
++ if ((res = av_get_packet(pb, pkt, len-2)) < 0)
++ return res;
+ pkt->pos = pos;
+ pkt->pts = frame;
+ pkt->stream_index = st->index;
+@@ -163,9 +164,11 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt)
+ if (st->codec->codec_type == AVMEDIA_TYPE_AUDIO && st->id == -1) {
+ if (st->codec->codec_id == CODEC_ID_MP3) {
+ avio_skip(pb, 4);
+- av_get_packet(pb, pkt, len-4);
++ if ((res = av_get_packet(pb, pkt, len-4)) < 0)
++ return res;
+ } else { // ADPCM, PCM
+- av_get_packet(pb, pkt, len);
++ if ((res = av_get_packet(pb, pkt, len)) < 0)
++ return res;
+ }
+ pkt->pos = pos;
+ pkt->stream_index = st->index;
+@@ -190,7 +193,8 @@ static int swf_read_packet(AVFormatContext *s, AVPacket *pkt)
+ st = vst;
+ }
+ avio_rl16(pb); /* BITMAP_ID */
+- av_new_packet(pkt, len-2);
++ if ((res = av_new_packet(pkt, len-2)) < 0)
++ return res;
+ avio_read(pb, pkt->data, 4);
+ if (AV_RB32(pkt->data) == 0xffd8ffd9 ||
+ AV_RB32(pkt->data) == 0xffd9ffd8) {
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0041-tiff-Prevent-overreads-in-the-type_sizes-array.patch b/debian/patches/post-0.8/0041-tiff-Prevent-overreads-in-the-type_sizes-array.patch
new file mode 100644
index 0000000..801a421
--- /dev/null
+++ b/debian/patches/post-0.8/0041-tiff-Prevent-overreads-in-the-type_sizes-array.patch
@@ -0,0 +1,50 @@
+From 424b6edd1944cf02261109edb5913417cf8e5dfb Mon Sep 17 00:00:00 2001
+From: Alex Converse <alex.converse at gmail.com>
+Date: Thu, 23 Feb 2012 10:47:50 -0800
+Subject: [PATCH 41/80] tiff: Prevent overreads in the type_sizes array.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 447363870f2f91e125e07ac2d0820359a5d86b06)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libavcodec/tiff.c | 15 +++++++++++----
+ 1 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/libavcodec/tiff.c b/libavcodec/tiff.c
+index a88d0f9..6810f81 100644
+--- a/libavcodec/tiff.c
++++ b/libavcodec/tiff.c
+@@ -289,6 +289,11 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
+ count = tget_long(&buf, s->le);
+ off = tget_long(&buf, s->le);
+
++ if (type == 0 || type >= FF_ARRAY_ELEMS(type_sizes)) {
++ av_log(s->avctx, AV_LOG_DEBUG, "Unknown tiff type (%u) encountered\n", type);
++ return 0;
++ }
++
+ if(count == 1){
+ switch(type){
+ case TIFF_BYTE:
+@@ -310,10 +315,12 @@ static int tiff_decode_tag(TiffContext *s, const uint8_t *start, const uint8_t *
+ value = -1;
+ buf = start + off;
+ }
+- }else if(type_sizes[type] * count <= 4){
+- buf -= 4;
+- }else{
+- buf = start + off;
++ } else {
++ if (count <= 4 && type_sizes[type] * count <= 4) {
++ buf -= 4;
++ } else {
++ buf = start + off;
++ }
+ }
+
+ if(buf && (buf < start || buf > end_buf)){
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0042-mjpeg-abort-decoding-if-packet-is-too-large.patch b/debian/patches/post-0.8/0042-mjpeg-abort-decoding-if-packet-is-too-large.patch
new file mode 100644
index 0000000..66c845b
--- /dev/null
+++ b/debian/patches/post-0.8/0042-mjpeg-abort-decoding-if-packet-is-too-large.patch
@@ -0,0 +1,32 @@
+From bf6d1a1ca792e4207e5d9b71c5020befb2296ae3 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Thu, 23 Feb 2012 12:22:40 -0800
+Subject: [PATCH 42/80] mjpeg: abort decoding if packet is too large.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit ab492ca2ab105aeb24d955f3f03756bdb3139ee1)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libavcodec/mjpegdec.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
+index 2ae502d..49d334b 100644
+--- a/libavcodec/mjpegdec.c
++++ b/libavcodec/mjpegdec.c
+@@ -1466,6 +1466,10 @@ int ff_mjpeg_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
+ /* EOF */
+ if (start_code < 0) {
+ goto the_end;
++ } else if (unescaped_buf_size > (1U<<29)) {
++ av_log(avctx, AV_LOG_ERROR, "MJPEG packet 0x%x too big (0x%x/0x%x), corrupt data?\n",
++ start_code, unescaped_buf_ptr, buf_size);
++ return AVERROR_INVALIDDATA;
+ } else {
+ av_log(avctx, AV_LOG_DEBUG, "marker=%x avail_size_in_buf=%td\n",
+ start_code, buf_end - buf_ptr);
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0043-lcl-error-out-if-uncompressed-input-buffer-is-smalle.patch b/debian/patches/post-0.8/0043-lcl-error-out-if-uncompressed-input-buffer-is-smalle.patch
new file mode 100644
index 0000000..2ec19a3
--- /dev/null
+++ b/debian/patches/post-0.8/0043-lcl-error-out-if-uncompressed-input-buffer-is-smalle.patch
@@ -0,0 +1,56 @@
+From 19f4943d12968a6dfb7c2915da191489dc614b87 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Thu, 23 Feb 2012 16:09:36 -0800
+Subject: [PATCH 43/80] lcl: error out if uncompressed input buffer is smaller
+ than framesize.
+
+This prevents crashes when trying to read beyond the end of the buffer
+while decoding frame data.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit be129271eac04f91393bf42a490ec631e1a9abea)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libavcodec/lcldec.c | 23 ++++++++++++++++++++++-
+ 1 files changed, 22 insertions(+), 1 deletions(-)
+
+diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c
+index b66a3ce..5b18418 100644
+--- a/libavcodec/lcldec.c
++++ b/libavcodec/lcldec.c
+@@ -223,8 +223,29 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
+ len = mszh_dlen;
+ }
+ break;
+- case COMP_MSZH_NOCOMP:
++ case COMP_MSZH_NOCOMP: {
++ int bppx2;
++ switch (c->imgtype) {
++ case IMGTYPE_YUV111:
++ case IMGTYPE_RGB24:
++ bppx2 = 6;
++ break;
++ case IMGTYPE_YUV422:
++ case IMGTYPE_YUV211:
++ bppx2 = 4;
++ break;
++ case IMGTYPE_YUV411:
++ case IMGTYPE_YUV420:
++ bppx2 = 3;
++ break;
++ default:
++ bppx2 = 0; // will error out below
++ break;
++ }
++ if (len < ((width * height * bppx2) >> 1))
++ return AVERROR_INVALIDDATA;
+ break;
++ }
+ default:
+ av_log(avctx, AV_LOG_ERROR, "BUG! Unknown MSZH compression in frame decoder.\n");
+ return -1;
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0044-kgv1-use-avctx-get-release_buffer.patch b/debian/patches/post-0.8/0044-kgv1-use-avctx-get-release_buffer.patch
new file mode 100644
index 0000000..51c6b5e
--- /dev/null
+++ b/debian/patches/post-0.8/0044-kgv1-use-avctx-get-release_buffer.patch
@@ -0,0 +1,164 @@
+From e537dc230b2e123be8aebdaeee5a7d7787328b0b Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Thu, 29 Dec 2011 09:07:32 -0800
+Subject: [PATCH 44/80] kgv1: use avctx->get/release_buffer().
+
+Also fixes crashes on corrupt bitstreams.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 33cd32b389864f2437c94e6fd7dc109ff5f0ed06)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libavcodec/kgv1dec.c | 64 ++++++++++++++++++++++++++++++-------------------
+ 1 files changed, 39 insertions(+), 25 deletions(-)
+
+diff --git a/libavcodec/kgv1dec.c b/libavcodec/kgv1dec.c
+index 2d6fa73..4526bf9 100644
+--- a/libavcodec/kgv1dec.c
++++ b/libavcodec/kgv1dec.c
+@@ -30,10 +30,17 @@
+
+ typedef struct {
+ AVCodecContext *avctx;
+- AVFrame pic;
+- uint16_t *prev, *cur;
++ AVFrame prev, cur;
+ } KgvContext;
+
++static void decode_flush(AVCodecContext *avctx)
++{
++ KgvContext * const c = avctx->priv_data;
++
++ if (c->prev.data[0])
++ avctx->release_buffer(avctx, &c->prev);
++}
++
+ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPacket *avpkt)
+ {
+ const uint8_t *buf = avpkt->data;
+@@ -42,7 +49,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
+ int offsets[7];
+ uint16_t *out, *prev;
+ int outcnt = 0, maxcnt;
+- int w, h, i;
++ int w, h, i, res;
+
+ if (avpkt->size < 2)
+ return -1;
+@@ -59,15 +66,15 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
+
+ maxcnt = w * h;
+
+- out = av_realloc(c->cur, w * h * 2);
+- if (!out)
+- return -1;
+- c->cur = out;
+-
+- prev = av_realloc(c->prev, w * h * 2);
+- if (!prev)
+- return -1;
+- c->prev = prev;
++ c->cur.reference = 3;
++ if ((res = avctx->get_buffer(avctx, &c->cur)) < 0)
++ return res;
++ out = (uint16_t *) c->cur.data[0];
++ if (c->prev.data[0]) {
++ prev = (uint16_t *) c->prev.data[0];
++ } else {
++ prev = NULL;
++ }
+
+ for (i = 0; i < 7; i++)
+ offsets[i] = -1;
+@@ -80,6 +87,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
+ out[outcnt++] = code; // rgb555 pixel coded directly
+ } else {
+ int count;
++ int inp_off;
+ uint16_t *inp;
+
+ if ((code & 0x6000) == 0x6000) {
+@@ -101,7 +109,14 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
+ if (maxcnt - start < count)
+ break;
+
+- inp = prev + start;
++ if (!prev) {
++ av_log(avctx, AV_LOG_ERROR,
++ "Frame reference does not exist\n");
++ break;
++ }
++
++ inp = prev;
++ inp_off = start;
+ } else {
+ // copy from earlier in this frame
+ int offset = (code & 0x1FFF) + 1;
+@@ -119,27 +134,28 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
+ if (outcnt < offset)
+ break;
+
+- inp = out + outcnt - offset;
++ inp = out;
++ inp_off = outcnt - offset;
+ }
+
+ if (maxcnt - outcnt < count)
+ break;
+
+- for (i = 0; i < count; i++)
++ for (i = inp_off; i < count + inp_off; i++) {
+ out[outcnt++] = inp[i];
++ }
+ }
+ }
+
+ if (outcnt - maxcnt)
+ av_log(avctx, AV_LOG_DEBUG, "frame finished with %d diff\n", outcnt - maxcnt);
+
+- c->pic.data[0] = (uint8_t *)c->cur;
+- c->pic.linesize[0] = w * 2;
+-
+ *data_size = sizeof(AVFrame);
+- *(AVFrame*)data = c->pic;
++ *(AVFrame*)data = c->cur;
+
+- FFSWAP(uint16_t *, c->cur, c->prev);
++ if (c->prev.data[0])
++ avctx->release_buffer(avctx, &c->prev);
++ FFSWAP(AVFrame, c->cur, c->prev);
+
+ return avpkt->size;
+ }
+@@ -150,17 +166,14 @@ static av_cold int decode_init(AVCodecContext *avctx)
+
+ c->avctx = avctx;
+ avctx->pix_fmt = PIX_FMT_RGB555;
++ avctx->flags |= CODEC_FLAG_EMU_EDGE;
+
+ return 0;
+ }
+
+ static av_cold int decode_end(AVCodecContext *avctx)
+ {
+- KgvContext * const c = avctx->priv_data;
+-
+- av_freep(&c->cur);
+- av_freep(&c->prev);
+-
++ decode_flush(avctx);
+ return 0;
+ }
+
+@@ -172,5 +185,6 @@ AVCodec ff_kgv1_decoder = {
+ .init = decode_init,
+ .close = decode_end,
+ .decode = decode_frame,
++ .flush = decode_flush,
+ .long_name = NULL_IF_CONFIG_SMALL("Kega Game Video"),
+ };
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0045-kgv1-release-reference-picture-on-size-change.patch b/debian/patches/post-0.8/0045-kgv1-release-reference-picture-on-size-change.patch
new file mode 100644
index 0000000..4d4e360
--- /dev/null
+++ b/debian/patches/post-0.8/0045-kgv1-release-reference-picture-on-size-change.patch
@@ -0,0 +1,34 @@
+From a0473085f3e2300908b1bf7ecf2ed7177eef0d4f Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Fri, 24 Feb 2012 16:27:53 -0800
+Subject: [PATCH 45/80] kgv1: release reference picture on size change.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 6c4c27adb61b2881a94ce5c7d97ee1c8adadb5fe)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libavcodec/kgv1dec.c | 5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+diff --git a/libavcodec/kgv1dec.c b/libavcodec/kgv1dec.c
+index 4526bf9..c4c3dac 100644
+--- a/libavcodec/kgv1dec.c
++++ b/libavcodec/kgv1dec.c
+@@ -61,8 +61,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
+ if (av_image_check_size(w, h, 0, avctx))
+ return -1;
+
+- if (w != avctx->width || h != avctx->height)
++ if (w != avctx->width || h != avctx->height) {
++ if (c->prev.data[0])
++ avctx->release_buffer(avctx, &c->prev);
+ avcodec_set_dimensions(avctx, w, h);
++ }
+
+ maxcnt = w * h;
+
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0046-fraps-release-reference-buffer-on-pix_fmt-change.patch b/debian/patches/post-0.8/0046-fraps-release-reference-buffer-on-pix_fmt-change.patch
new file mode 100644
index 0000000..cd859c1
--- /dev/null
+++ b/debian/patches/post-0.8/0046-fraps-release-reference-buffer-on-pix_fmt-change.patch
@@ -0,0 +1,77 @@
+From 0d30e2c6f28dc0ae1bcb9bb40b26aedb5b5ce731 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Fri, 24 Feb 2012 14:11:04 -0800
+Subject: [PATCH 46/80] fraps: release reference buffer on pix_fmt change.
+
+Prevents crash when trying to copy from a non-existing plane in e.g.
+a RGB32 reference image to a YUV420P target image
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 830f70442a87a31f7c75565e9380e3caf8333b8a)
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ libavcodec/fraps.c | 14 +++++++-------
+ 1 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/libavcodec/fraps.c b/libavcodec/fraps.c
+index 1444eda..d887cde 100644
+--- a/libavcodec/fraps.c
++++ b/libavcodec/fraps.c
+@@ -138,7 +138,7 @@ static int decode_frame(AVCodecContext *avctx,
+ uint32_t *luma1,*luma2,*cb,*cr;
+ uint32_t offs[4];
+ int i, j, is_chroma, planes;
+-
++ enum PixelFormat pix_fmt;
+
+ header = AV_RL32(buf);
+ version = header & 0xff;
+@@ -155,12 +155,16 @@ static int decode_frame(AVCodecContext *avctx,
+ if (header_size == 8)
+ buf+=4;
+
++ pix_fmt = version & 1 ? PIX_FMT_BGR24 : PIX_FMT_YUVJ420P;
++ if (avctx->pix_fmt != pix_fmt && f->data[0]) {
++ avctx->release_buffer(avctx, f);
++ }
++ avctx->pix_fmt = pix_fmt;
++
+ switch(version) {
+ case 0:
+ default:
+ /* Fraps v0 is a reordered YUV420 */
+- avctx->pix_fmt = PIX_FMT_YUVJ420P;
+-
+ if ( (buf_size != avctx->width*avctx->height*3/2+header_size) &&
+ (buf_size != header_size) ) {
+ av_log(avctx, AV_LOG_ERROR,
+@@ -208,8 +212,6 @@ static int decode_frame(AVCodecContext *avctx,
+
+ case 1:
+ /* Fraps v1 is an upside-down BGR24 */
+- avctx->pix_fmt = PIX_FMT_BGR24;
+-
+ if ( (buf_size != avctx->width*avctx->height*3+header_size) &&
+ (buf_size != header_size) ) {
+ av_log(avctx, AV_LOG_ERROR,
+@@ -244,7 +246,6 @@ static int decode_frame(AVCodecContext *avctx,
+ * Fraps v2 is Huffman-coded YUV420 planes
+ * Fraps v4 is virtually the same
+ */
+- avctx->pix_fmt = PIX_FMT_YUVJ420P;
+ planes = 3;
+ f->reference = 1;
+ f->buffer_hints = FF_BUFFER_HINTS_VALID |
+@@ -287,7 +288,6 @@ static int decode_frame(AVCodecContext *avctx,
+ case 3:
+ case 5:
+ /* Virtually the same as version 4, but is for RGB24 */
+- avctx->pix_fmt = PIX_FMT_BGR24;
+ planes = 3;
+ f->reference = 1;
+ f->buffer_hints = FF_BUFFER_HINTS_VALID |
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0047-rm-prevent-infinite-loops-for-index-parsing.patch b/debian/patches/post-0.8/0047-rm-prevent-infinite-loops-for-index-parsing.patch
new file mode 100644
index 0000000..c1b2b83
--- /dev/null
+++ b/debian/patches/post-0.8/0047-rm-prevent-infinite-loops-for-index-parsing.patch
@@ -0,0 +1,61 @@
+From abe35728786d79cd8230dffe41205b28ad6b7678 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Wed, 22 Feb 2012 11:33:24 -0800
+Subject: [PATCH 47/80] rm: prevent infinite loops for index parsing.
+
+Specifically, prevent jumping back in the file for the next index, since
+this can lead to infinite loops where we jump between indexes referring
+to each other, and don't read indexes that don't fit in the file.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit aac07a7a4c2c7a4a29cf6dbc88c1b9fdd191b99d)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavformat/rmdec.c | 20 +++++++++++++++++---
+ 1 files changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c
+index 3d92253..405162e 100644
+--- a/libavformat/rmdec.c
++++ b/libavformat/rmdec.c
+@@ -370,8 +370,19 @@ static int rm_read_index(AVFormatContext *s)
+ st = s->streams[n];
+ break;
+ }
+- if (n == s->nb_streams)
++ if (n == s->nb_streams) {
++ av_log(s, AV_LOG_ERROR,
++ "Invalid stream index %d for index at pos %"PRId64"\n",
++ str_id, avio_tell(pb));
+ goto skip;
++ } else if ((avio_size(pb) - avio_tell(pb)) / 14 < n_pkts) {
++ av_log(s, AV_LOG_ERROR,
++ "Nr. of packets in packet index for stream index %d "
++ "exceeds filesize (%"PRId64" at %"PRId64" = %d)\n",
++ str_id, avio_size(pb), avio_tell(pb),
++ (avio_size(pb) - avio_tell(pb)) / 14);
++ goto skip;
++ }
+
+ for (n = 0; n < n_pkts; n++) {
+ avio_skip(pb, 2);
+@@ -383,9 +394,12 @@ static int rm_read_index(AVFormatContext *s)
+ }
+
+ skip:
+- if (next_off && avio_tell(pb) != next_off &&
+- avio_seek(pb, next_off, SEEK_SET) < 0)
++ if (next_off && avio_tell(pb) < next_off &&
++ avio_seek(pb, next_off, SEEK_SET) < 0) {
++ av_log(s, AV_LOG_ERROR,
++ "Non-linear index detected, not supported\n");
+ return -1;
++ }
+ } while (next_off);
+
+ return 0;
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0048-Fix-parser-not-to-clobber-has_b_frames-when-extradat.patch b/debian/patches/post-0.8/0048-Fix-parser-not-to-clobber-has_b_frames-when-extradat.patch
new file mode 100644
index 0000000..86dda35
--- /dev/null
+++ b/debian/patches/post-0.8/0048-Fix-parser-not-to-clobber-has_b_frames-when-extradat.patch
@@ -0,0 +1,56 @@
+From 0f839cff6bf4569393cd0594f0f300af1c488723 Mon Sep 17 00:00:00 2001
+From: Reinhard Tartler <siretart at tauware.de>
+Date: Sun, 26 Feb 2012 10:50:45 +0100
+Subject: [PATCH 48/80] Fix parser not to clobber has_b_frames when extradata
+ is set.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Because in contrast to the decoder, the parser does not setup low_delay.
+The code in parse_nal_units would always end up setting has_b_frames
+to "1", except when stream is explicitly marked as low delay.
+Since the parser itself would create 'extradata', simply reopening
+the parser would cause this.
+
+This happens for instance in estimate_timings_from_pts(), which causes the
+parser to be reopened on the same stream.
+
+This fixes Libav #22 and FFmpeg (trac) #360
+
+CC: libav-stable at libav.org
+
+Based on a patch by Reimar Döffinger <Reimar.Doeffinger at gmx.de>
+(commit 31ac0ac29b6bba744493f7d1040757a3f51b9ad7)
+
+Comments and description adapted by Reinhard Tartler.
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+(cherry picked from commit 790a367d9ecd04360f78616765ee723f3fe65645)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/h264_parser.c | 7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/h264_parser.c b/libavcodec/h264_parser.c
+index bcaa04a..48215c5 100644
+--- a/libavcodec/h264_parser.c
++++ b/libavcodec/h264_parser.c
+@@ -251,6 +251,13 @@ static int h264_parse(AVCodecParserContext *s,
+ h->got_first = 1;
+ if (avctx->extradata_size) {
+ h->s.avctx = avctx;
++ // must be done like in the decoder.
++ // otherwise opening the parser, creating extradata,
++ // and then closing and opening again
++ // will cause has_b_frames to be always set.
++ // NB: estimate_timings_from_pts behaves exactly like this.
++ if (!avctx->has_b_frames)
++ h->s.low_delay = 1;
+ ff_h264_decode_extradata(h);
+ }
+ }
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0049-vorbis-fix-overflows-in-floor1-vector-and-inverse-db.patch b/debian/patches/post-0.8/0049-vorbis-fix-overflows-in-floor1-vector-and-inverse-db.patch
new file mode 100644
index 0000000..7a3d85e
--- /dev/null
+++ b/debian/patches/post-0.8/0049-vorbis-fix-overflows-in-floor1-vector-and-inverse-db.patch
@@ -0,0 +1,116 @@
+From 2510e1476e9a8bfcca0fe4e85a1380482aed0ab3 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Tue, 10 Jan 2012 17:01:26 -0800
+Subject: [PATCH 49/80] vorbis: fix overflows in floor1[] vector and inverse
+ db table index.
+
+(cherry picked from commit 24947d4988012f1f0fd467c83418615adc11c3e8)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/vorbis.c | 19 +++++++++----------
+ libavcodec/vorbisdec.c | 10 +++++-----
+ 2 files changed, 14 insertions(+), 15 deletions(-)
+
+diff --git a/libavcodec/vorbis.c b/libavcodec/vorbis.c
+index 0b26870..52ded8b 100644
+--- a/libavcodec/vorbis.c
++++ b/libavcodec/vorbis.c
+@@ -152,7 +152,7 @@ void ff_vorbis_ready_floor1_list(vorbis_floor1_entry * list, int values)
+ }
+ }
+
+-static inline void render_line_unrolled(intptr_t x, uint8_t y, int x1,
++static inline void render_line_unrolled(intptr_t x, int y, int x1,
+ intptr_t sy, int ady, int adx,
+ float *buf)
+ {
+@@ -164,30 +164,30 @@ static inline void render_line_unrolled(intptr_t x, uint8_t y, int x1,
+ if (err >= 0) {
+ err += ady - adx;
+ y += sy;
+- buf[x++] = ff_vorbis_floor1_inverse_db_table[y];
++ buf[x++] = ff_vorbis_floor1_inverse_db_table[av_clip_uint8(y)];
+ }
+- buf[x] = ff_vorbis_floor1_inverse_db_table[y];
++ buf[x] = ff_vorbis_floor1_inverse_db_table[av_clip_uint8(y)];
+ }
+ if (x <= 0) {
+ if (err + ady >= 0)
+ y += sy;
+- buf[x] = ff_vorbis_floor1_inverse_db_table[y];
++ buf[x] = ff_vorbis_floor1_inverse_db_table[av_clip_uint8(y)];
+ }
+ }
+
+-static void render_line(int x0, uint8_t y0, int x1, int y1, float *buf)
++static void render_line(int x0, int y0, int x1, int y1, float *buf)
+ {
+ int dy = y1 - y0;
+ int adx = x1 - x0;
+ int ady = FFABS(dy);
+ int sy = dy < 0 ? -1 : 1;
+- buf[x0] = ff_vorbis_floor1_inverse_db_table[y0];
++ buf[x0] = ff_vorbis_floor1_inverse_db_table[av_clip_uint8(y0)];
+ if (ady*2 <= adx) { // optimized common case
+ render_line_unrolled(x0, y0, x1, sy, ady, adx, buf);
+ } else {
+ int base = dy / adx;
+ int x = x0;
+- uint8_t y = y0;
++ int y = y0;
+ int err = -adx;
+ ady -= FFABS(base) * adx;
+ while (++x < x1) {
+@@ -197,7 +197,7 @@ static void render_line(int x0, uint8_t y0, int x1, int y1, float *buf)
+ err -= adx;
+ y += sy;
+ }
+- buf[x] = ff_vorbis_floor1_inverse_db_table[y];
++ buf[x] = ff_vorbis_floor1_inverse_db_table[av_clip_uint8(y)];
+ }
+ }
+ }
+@@ -206,8 +206,7 @@ void ff_vorbis_floor1_render_list(vorbis_floor1_entry * list, int values,
+ uint16_t *y_list, int *flag,
+ int multiplier, float *out, int samples)
+ {
+- int lx, i;
+- uint8_t ly;
++ int lx, ly, i;
+ lx = 0;
+ ly = y_list[0] * multiplier;
+ for (i = 1; i < values; i++) {
+diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c
+index bb69fed..22a2cf7 100644
+--- a/libavcodec/vorbisdec.c
++++ b/libavcodec/vorbisdec.c
+@@ -1244,20 +1244,20 @@ static int vorbis_floor1_decode(vorbis_context *vc,
+ floor1_flag[i] = 1;
+ if (val >= room) {
+ if (highroom > lowroom) {
+- floor1_Y_final[i] = val - lowroom + predicted;
++ floor1_Y_final[i] = av_clip_uint16(val - lowroom + predicted);
+ } else {
+- floor1_Y_final[i] = predicted - val + highroom - 1;
++ floor1_Y_final[i] = av_clip_uint16(predicted - val + highroom - 1);
+ }
+ } else {
+ if (val & 1) {
+- floor1_Y_final[i] = predicted - (val + 1) / 2;
++ floor1_Y_final[i] = av_clip_uint16(predicted - (val + 1) / 2);
+ } else {
+- floor1_Y_final[i] = predicted + val / 2;
++ floor1_Y_final[i] = av_clip_uint16(predicted + val / 2);
+ }
+ }
+ } else {
+ floor1_flag[i] = 0;
+- floor1_Y_final[i] = predicted;
++ floor1_Y_final[i] = av_clip_uint16(predicted);
+ }
+
+ av_dlog(NULL, " Decoded floor(%d) = %u / val %u\n",
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0050-Indeo3-fix-crashes-on-corrupt-bitstreams.patch b/debian/patches/post-0.8/0050-Indeo3-fix-crashes-on-corrupt-bitstreams.patch
new file mode 100644
index 0000000..f8e436f
--- /dev/null
+++ b/debian/patches/post-0.8/0050-Indeo3-fix-crashes-on-corrupt-bitstreams.patch
@@ -0,0 +1,61 @@
+From 9dbd437da2bafbec540e38cb51bc7ce2b0101ee5 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Tue, 28 Feb 2012 10:22:28 -0800
+Subject: [PATCH 50/80] Indeo3: fix crashes on corrupt bitstreams.
+
+Splits at borders of cells are invalid, since it leaves one of the
+cells with a width/height of zero. Also, propagate errors on buffer
+allocation failures, so we don't continue decoding (which crashes).
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit fc9bc08dca9ac32526251e19fcf738d23b8c68d1)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/indeo3.c | 9 ++++++++-
+ 1 files changed, 8 insertions(+), 1 deletions(-)
+
+diff --git a/libavcodec/indeo3.c b/libavcodec/indeo3.c
+index d2b01f4..55b4ec7 100644
+--- a/libavcodec/indeo3.c
++++ b/libavcodec/indeo3.c
+@@ -724,6 +724,8 @@ static int parse_bintree(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
+ SPLIT_CELL(ref_cell->height, curr_cell.height);
+ ref_cell->ypos += curr_cell.height;
+ ref_cell->height -= curr_cell.height;
++ if (ref_cell->height <= 0 || curr_cell.height <= 0)
++ return AVERROR_INVALIDDATA;
+ } else if (code == V_SPLIT) {
+ if (curr_cell.width > strip_width) {
+ /* split strip */
+@@ -732,6 +734,8 @@ static int parse_bintree(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
+ SPLIT_CELL(ref_cell->width, curr_cell.width);
+ ref_cell->xpos += curr_cell.width;
+ ref_cell->width -= curr_cell.width;
++ if (ref_cell->width <= 0 || curr_cell.width <= 0)
++ return AVERROR_INVALIDDATA;
+ }
+
+ while (1) { /* loop until return */
+@@ -887,13 +891,16 @@ static int decode_frame_headers(Indeo3DecodeContext *ctx, AVCodecContext *avctx,
+ return AVERROR_INVALIDDATA;
+
+ if (width != ctx->width || height != ctx->height) {
++ int res;
++
+ av_dlog(avctx, "Frame dimensions changed!\n");
+
+ ctx->width = width;
+ ctx->height = height;
+
+ free_frame_buffers(ctx);
+- allocate_frame_buffers(ctx, avctx);
++ if ((res = allocate_frame_buffers(ctx, avctx)) < 0)
++ return res;
+ avcodec_set_dimensions(avctx, width, height);
+ }
+
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0051-oma-don-t-read-beyond-end-of-leaf_table.patch b/debian/patches/post-0.8/0051-oma-don-t-read-beyond-end-of-leaf_table.patch
new file mode 100644
index 0000000..64a8c1c
--- /dev/null
+++ b/debian/patches/post-0.8/0051-oma-don-t-read-beyond-end-of-leaf_table.patch
@@ -0,0 +1,30 @@
+From 71a939fee47d8b59ba1258b481322d16378e556f Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Tue, 28 Feb 2012 11:35:36 -0800
+Subject: [PATCH 51/80] oma: don't read beyond end of leaf_table.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 934cd18a43151ba4b819d9270d539cdb26f6e079)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavformat/omadec.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/libavformat/omadec.c b/libavformat/omadec.c
+index 0beed71..cc37397 100644
+--- a/libavformat/omadec.c
++++ b/libavformat/omadec.c
+@@ -231,7 +231,7 @@ static int decrypt_init(AVFormatContext *s, ID3v2ExtraMeta *em, uint8_t *header)
+ rprobe(s, gdata, oc->r_val) < 0 &&
+ nprobe(s, gdata, oc->n_val) < 0) {
+ int i;
+- for (i = 0; i < sizeof(leaf_table); i += 2) {
++ for (i = 0; i < FF_ARRAY_ELEMS(leaf_table); i += 2) {
+ uint8_t buf[16];
+ AV_WL64(buf, leaf_table[i]);
+ AV_WL64(&buf[8], leaf_table[i+1]);
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0052-mjpegbdec-Fix-overflow-in-SOS.patch b/debian/patches/post-0.8/0052-mjpegbdec-Fix-overflow-in-SOS.patch
new file mode 100644
index 0000000..ff7c80c
--- /dev/null
+++ b/debian/patches/post-0.8/0052-mjpegbdec-Fix-overflow-in-SOS.patch
@@ -0,0 +1,45 @@
+From 083a8a00373b12dc06b8ae4c49eec61fb5e55f4b Mon Sep 17 00:00:00 2001
+From: Alex Converse <alex.converse at gmail.com>
+Date: Wed, 25 Jan 2012 13:39:24 -0800
+Subject: [PATCH 52/80] mjpegbdec: Fix overflow in SOS.
+
+Based in part by a fix from Michael Niedermayer <michaelni at gmx.at>
+
+Fixes CVE-2011-3947
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+(cherry picked from commit b57d262412204e54a7ef8fa1b23ff4dcede622e5)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/mjpegbdec.c | 7 +++++--
+ 1 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/mjpegbdec.c b/libavcodec/mjpegbdec.c
+index 9f71f50..10c5add 100644
+--- a/libavcodec/mjpegbdec.c
++++ b/libavcodec/mjpegbdec.c
+@@ -59,6 +59,9 @@ read_header:
+ s->restart_count = 0;
+ s->mjpb_skiptosod = 0;
+
++ if (buf_end - buf_ptr >= 1 << 28)
++ return AVERROR_INVALIDDATA;
++
+ init_get_bits(&hgb, buf_ptr, /*buf_size*/(buf_end - buf_ptr)*8);
+
+ skip_bits(&hgb, 32); /* reserved zeros */
+@@ -111,8 +114,8 @@ read_header:
+ av_log(avctx, AV_LOG_DEBUG, "sod offs: 0x%x\n", sod_offs);
+ if (sos_offs)
+ {
+-// init_get_bits(&s->gb, buf+sos_offs, (buf_end - (buf+sos_offs))*8);
+- init_get_bits(&s->gb, buf_ptr+sos_offs, field_size*8);
++ init_get_bits(&s->gb, buf_ptr + sos_offs,
++ 8 * FFMIN(field_size, buf_end - buf_ptr - sos_offs));
+ s->mjpb_skiptosod = (sod_offs - sos_offs - show_bits(&s->gb, 16));
+ s->start_code = SOS;
+ if (ff_mjpeg_decode_sos(s, NULL, NULL) < 0 &&
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0053-avutil-make-intfloat-api-public.patch b/debian/patches/post-0.8/0053-avutil-make-intfloat-api-public.patch
new file mode 100644
index 0000000..ca1ea79
--- /dev/null
+++ b/debian/patches/post-0.8/0053-avutil-make-intfloat-api-public.patch
@@ -0,0 +1,66 @@
+From a1556d37b85328fda3c4010bc2f49e1a93273128 Mon Sep 17 00:00:00 2001
+From: Paul B Mahol <onemda at gmail.com>
+Date: Sun, 29 Jan 2012 20:09:22 +0000
+Subject: [PATCH 53/80] avutil: make intfloat api public
+
+The functions are already av_ prefixed and intfloat header is already provided.
+Install libavutil/intfloat.h
+
+Signed-off-by: Paul B Mahol <onemda at gmail.com>
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+(cherry picked from commit 8b933129b932f523a746e921a0a20b8dd8816971)
+
+Conflicts:
+
+ doc/APIchanges
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ doc/APIchanges | 4 ++++
+ libavutil/Makefile | 1 +
+ libavutil/avutil.h | 2 +-
+ 3 files changed, 6 insertions(+), 1 deletions(-)
+
+diff --git a/doc/APIchanges b/doc/APIchanges
+index 1e326ca..b2ee01b 100644
+--- a/doc/APIchanges
++++ b/doc/APIchanges
+@@ -13,6 +13,10 @@ libavutil: 2011-04-18
+
+ API changes, most recent first:
+
++2012-02-29 - xxxxxxx - lavu 51.22.0 - intfloat.h
++ Add a new installed header libavutil/intfloat.h with int/float punning
++ functions.
++
+ 2012-02-17 - xxxxxxx - lavc 53.35.0
+ Add avcodec_is_open() function.
+
+diff --git a/libavutil/Makefile b/libavutil/Makefile
+index 6896846..4bbe257 100644
+--- a/libavutil/Makefile
++++ b/libavutil/Makefile
+@@ -17,6 +17,7 @@ HEADERS = adler32.h \
+ fifo.h \
+ file.h \
+ imgutils.h \
++ intfloat.h \
+ intfloat_readwrite.h \
+ intreadwrite.h \
+ lfg.h \
+diff --git a/libavutil/avutil.h b/libavutil/avutil.h
+index f0be5c1..0e62b4a 100644
+--- a/libavutil/avutil.h
++++ b/libavutil/avutil.h
+@@ -154,7 +154,7 @@
+ */
+
+ #define LIBAVUTIL_VERSION_MAJOR 51
+-#define LIBAVUTIL_VERSION_MINOR 21
++#define LIBAVUTIL_VERSION_MINOR 22
+ #define LIBAVUTIL_VERSION_MICRO 0
+
+ #define LIBAVUTIL_VERSION_INT AV_VERSION_INT(LIBAVUTIL_VERSION_MAJOR, \
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0054-lavf-add-functions-for-accessing-the-fourcc-CodecID-.patch b/debian/patches/post-0.8/0054-lavf-add-functions-for-accessing-the-fourcc-CodecID-.patch
new file mode 100644
index 0000000..d4bdd84
--- /dev/null
+++ b/debian/patches/post-0.8/0054-lavf-add-functions-for-accessing-the-fourcc-CodecID-.patch
@@ -0,0 +1,257 @@
+From 2ad77c60ef862baa2afcdcb7e6f43dedabab38ef Mon Sep 17 00:00:00 2001
+From: Anton Khirnov <anton at khirnov.net>
+Date: Fri, 27 Jan 2012 13:33:09 +0100
+Subject: [PATCH 54/80] lavf: add functions for accessing the fourcc<->CodecID
+ mapping tables.
+
+Fixes bug 212.
+(cherry picked from commit dd6d3b0e025cb2a16022665dbb8ab1be18dc05e8)
+
+Conflicts:
+
+ doc/APIchanges
+
+Signed-off-by: Anton Khirnov <anton at khirnov.net>
+---
+ doc/APIchanges | 3 ++
+ libavformat/Makefile | 54 ++++++++++++++++++++++++------------------------
+ libavformat/avformat.h | 24 +++++++++++++++++++++
+ libavformat/utils.c | 9 ++++++++
+ libavformat/version.h | 2 +-
+ 5 files changed, 64 insertions(+), 28 deletions(-)
+
+diff --git a/doc/APIchanges b/doc/APIchanges
+index b2ee01b..58186a0 100644
+--- a/doc/APIchanges
++++ b/doc/APIchanges
+@@ -13,6 +13,9 @@ libavutil: 2011-04-18
+
+ API changes, most recent first:
+
++2012-02-29 - xxxxxxx - lavf 53.21.0
++ Add avformat_get_riff_video_tags() and avformat_get_riff_audio_tags().
++
+ 2012-02-29 - xxxxxxx - lavu 51.22.0 - intfloat.h
+ Add a new installed header libavutil/intfloat.h with int/float punning
+ functions.
+diff --git a/libavformat/Makefile b/libavformat/Makefile
+index 2a2a946..c850bf4 100644
+--- a/libavformat/Makefile
++++ b/libavformat/Makefile
+@@ -10,6 +10,7 @@ OBJS = allformats.o \
+ metadata.o \
+ options.o \
+ os_support.o \
++ riff.o \
+ sdp.o \
+ seek.o \
+ utils.o \
+@@ -25,8 +26,8 @@ OBJS-$(CONFIG_ADX_DEMUXER) += adxdec.o
+ OBJS-$(CONFIG_ADX_MUXER) += rawenc.o
+ OBJS-$(CONFIG_ADTS_MUXER) += adtsenc.o
+ OBJS-$(CONFIG_AEA_DEMUXER) += aea.o pcm.o
+-OBJS-$(CONFIG_AIFF_DEMUXER) += aiffdec.o riff.o pcm.o
+-OBJS-$(CONFIG_AIFF_MUXER) += aiffenc.o riff.o
++OBJS-$(CONFIG_AIFF_DEMUXER) += aiffdec.o pcm.o
++OBJS-$(CONFIG_AIFF_MUXER) += aiffenc.o
+ OBJS-$(CONFIG_AMR_DEMUXER) += amr.o
+ OBJS-$(CONFIG_AMR_MUXER) += amr.o
+ OBJS-$(CONFIG_ANM_DEMUXER) += anm.o
+@@ -34,14 +35,14 @@ OBJS-$(CONFIG_APC_DEMUXER) += apc.o
+ OBJS-$(CONFIG_APE_DEMUXER) += ape.o apetag.o
+ OBJS-$(CONFIG_APPLEHTTP_DEMUXER) += applehttp.o
+ OBJS-$(CONFIG_ASF_DEMUXER) += asfdec.o asf.o asfcrypt.o \
+- riff.o avlanguage.o
+-OBJS-$(CONFIG_ASF_MUXER) += asfenc.o asf.o riff.o
++ avlanguage.o
++OBJS-$(CONFIG_ASF_MUXER) += asfenc.o asf.o
+ OBJS-$(CONFIG_ASS_DEMUXER) += assdec.o
+ OBJS-$(CONFIG_ASS_MUXER) += assenc.o
+ OBJS-$(CONFIG_AU_DEMUXER) += au.o pcm.o
+ OBJS-$(CONFIG_AU_MUXER) += au.o
+-OBJS-$(CONFIG_AVI_DEMUXER) += avidec.o riff.o
+-OBJS-$(CONFIG_AVI_MUXER) += avienc.o riff.o
++OBJS-$(CONFIG_AVI_DEMUXER) += avidec.o
++OBJS-$(CONFIG_AVI_MUXER) += avienc.o
+ OBJS-$(CONFIG_AVISYNTH) += avisynth.o
+ OBJS-$(CONFIG_AVM2_MUXER) += swfenc.o
+ OBJS-$(CONFIG_AVS_DEMUXER) += avs.o vocdec.o voc.o
+@@ -51,7 +52,7 @@ OBJS-$(CONFIG_BINK_DEMUXER) += bink.o
+ OBJS-$(CONFIG_BMV_DEMUXER) += bmv.o
+ OBJS-$(CONFIG_C93_DEMUXER) += c93.o vocdec.o voc.o
+ OBJS-$(CONFIG_CAF_DEMUXER) += cafdec.o caf.o mov.o mov_chan.o \
+- riff.o isom.o
++ isom.o
+ OBJS-$(CONFIG_CAVSVIDEO_DEMUXER) += cavsvideodec.o rawdec.o
+ OBJS-$(CONFIG_CAVSVIDEO_MUXER) += rawenc.o
+ OBJS-$(CONFIG_CDG_DEMUXER) += cdg.o
+@@ -68,7 +69,7 @@ OBJS-$(CONFIG_DTS_DEMUXER) += dtsdec.o rawdec.o
+ OBJS-$(CONFIG_DTS_MUXER) += rawenc.o
+ OBJS-$(CONFIG_DV_DEMUXER) += dv.o
+ OBJS-$(CONFIG_DV_MUXER) += dvenc.o
+-OBJS-$(CONFIG_DXA_DEMUXER) += dxa.o riff.o
++OBJS-$(CONFIG_DXA_DEMUXER) += dxa.o
+ OBJS-$(CONFIG_EA_CDATA_DEMUXER) += eacdata.o
+ OBJS-$(CONFIG_EA_DEMUXER) += electronicarts.o
+ OBJS-$(CONFIG_EAC3_DEMUXER) += ac3dec.o rawdec.o
+@@ -112,7 +113,7 @@ OBJS-$(CONFIG_INGENIENT_DEMUXER) += ingenientdec.o rawdec.o
+ OBJS-$(CONFIG_IPMOVIE_DEMUXER) += ipmovie.o
+ OBJS-$(CONFIG_ISS_DEMUXER) += iss.o
+ OBJS-$(CONFIG_IV8_DEMUXER) += iv8.o
+-OBJS-$(CONFIG_IVF_DEMUXER) += ivfdec.o riff.o
++OBJS-$(CONFIG_IVF_DEMUXER) += ivfdec.o
+ OBJS-$(CONFIG_IVF_MUXER) += ivfenc.o
+ OBJS-$(CONFIG_JV_DEMUXER) += jvdec.o
+ OBJS-$(CONFIG_LATM_DEMUXER) += rawdec.o
+@@ -122,9 +123,9 @@ OBJS-$(CONFIG_LXF_DEMUXER) += lxfdec.o
+ OBJS-$(CONFIG_M4V_DEMUXER) += m4vdec.o rawdec.o
+ OBJS-$(CONFIG_M4V_MUXER) += rawenc.o
+ OBJS-$(CONFIG_MATROSKA_DEMUXER) += matroskadec.o matroska.o \
+- riff.o isom.o rmdec.o rm.o
++ isom.o rmdec.o rm.o
+ OBJS-$(CONFIG_MATROSKA_MUXER) += matroskaenc.o matroska.o \
+- riff.o isom.o avc.o \
++ isom.o avc.o \
+ flacenc_header.o avlanguage.o
+ OBJS-$(CONFIG_MD5_MUXER) += md5enc.o
+ OBJS-$(CONFIG_MJPEG_DEMUXER) += rawdec.o
+@@ -133,9 +134,9 @@ OBJS-$(CONFIG_MLP_DEMUXER) += rawdec.o
+ OBJS-$(CONFIG_MLP_MUXER) += rawenc.o
+ OBJS-$(CONFIG_MM_DEMUXER) += mm.o
+ OBJS-$(CONFIG_MMF_DEMUXER) += mmf.o pcm.o
+-OBJS-$(CONFIG_MMF_MUXER) += mmf.o riff.o
+-OBJS-$(CONFIG_MOV_DEMUXER) += mov.o riff.o isom.o mov_chan.o
+-OBJS-$(CONFIG_MOV_MUXER) += movenc.o riff.o isom.o avc.o \
++OBJS-$(CONFIG_MMF_MUXER) += mmf.o
++OBJS-$(CONFIG_MOV_DEMUXER) += mov.o isom.o mov_chan.o
++OBJS-$(CONFIG_MOV_MUXER) += movenc.o isom.o avc.o \
+ movenchint.o rtpenc_chain.o \
+ mov_chan.o
+ OBJS-$(CONFIG_MP2_MUXER) += mp3enc.o rawenc.o
+@@ -164,9 +165,9 @@ OBJS-$(CONFIG_MXG_DEMUXER) += mxg.o
+ OBJS-$(CONFIG_NC_DEMUXER) += ncdec.o
+ OBJS-$(CONFIG_NSV_DEMUXER) += nsvdec.o
+ OBJS-$(CONFIG_NULL_MUXER) += nullenc.o
+-OBJS-$(CONFIG_NUT_DEMUXER) += nutdec.o nut.o riff.o
+-OBJS-$(CONFIG_NUT_MUXER) += nutenc.o nut.o riff.o
+-OBJS-$(CONFIG_NUV_DEMUXER) += nuv.o riff.o
++OBJS-$(CONFIG_NUT_DEMUXER) += nutdec.o nut.o
++OBJS-$(CONFIG_NUT_MUXER) += nutenc.o nut.o
++OBJS-$(CONFIG_NUV_DEMUXER) += nuv.o
+ OBJS-$(CONFIG_OGG_DEMUXER) += oggdec.o \
+ oggparsecelt.o \
+ oggparsedirac.o \
+@@ -176,7 +177,6 @@ OBJS-$(CONFIG_OGG_DEMUXER) += oggdec.o \
+ oggparsespeex.o \
+ oggparsetheora.o \
+ oggparsevorbis.o \
+- riff.o \
+ vorbiscomment.o
+ OBJS-$(CONFIG_OGG_MUXER) += oggenc.o \
+ vorbiscomment.o
+@@ -301,28 +301,28 @@ OBJS-$(CONFIG_VMD_DEMUXER) += sierravmd.o
+ OBJS-$(CONFIG_VOC_DEMUXER) += vocdec.o voc.o
+ OBJS-$(CONFIG_VOC_MUXER) += vocenc.o voc.o
+ OBJS-$(CONFIG_VQF_DEMUXER) += vqf.o
+-OBJS-$(CONFIG_W64_DEMUXER) += wav.o riff.o pcm.o
+-OBJS-$(CONFIG_WAV_DEMUXER) += wav.o riff.o pcm.o
+-OBJS-$(CONFIG_WAV_MUXER) += wav.o riff.o
++OBJS-$(CONFIG_W64_DEMUXER) += wav.o pcm.o
++OBJS-$(CONFIG_WAV_DEMUXER) += wav.o pcm.o
++OBJS-$(CONFIG_WAV_MUXER) += wav.o
+ OBJS-$(CONFIG_WC3_DEMUXER) += wc3movie.o
+ OBJS-$(CONFIG_WEBM_MUXER) += matroskaenc.o matroska.o \
+- riff.o isom.o avc.o \
++ isom.o avc.o \
+ flacenc_header.o avlanguage.o
+ OBJS-$(CONFIG_WSAUD_DEMUXER) += westwood.o
+ OBJS-$(CONFIG_WSVQA_DEMUXER) += westwood.o
+ OBJS-$(CONFIG_WTV_DEMUXER) += wtv.o asfdec.o asf.o asfcrypt.o \
+- avlanguage.o mpegts.o isom.o riff.o
++ avlanguage.o mpegts.o isom.o
+ OBJS-$(CONFIG_WV_DEMUXER) += wv.o apetag.o
+ OBJS-$(CONFIG_XA_DEMUXER) += xa.o
+-OBJS-$(CONFIG_XMV_DEMUXER) += xmv.o riff.o
+-OBJS-$(CONFIG_XWMA_DEMUXER) += xwma.o riff.o
++OBJS-$(CONFIG_XMV_DEMUXER) += xmv.o
++OBJS-$(CONFIG_XWMA_DEMUXER) += xwma.o
+ OBJS-$(CONFIG_YOP_DEMUXER) += yop.o
+ OBJS-$(CONFIG_YUV4MPEGPIPE_MUXER) += yuv4mpeg.o
+ OBJS-$(CONFIG_YUV4MPEGPIPE_DEMUXER) += yuv4mpeg.o
+
+ # external libraries
+-OBJS-$(CONFIG_LIBNUT_DEMUXER) += libnut.o riff.o
+-OBJS-$(CONFIG_LIBNUT_MUXER) += libnut.o riff.o
++OBJS-$(CONFIG_LIBNUT_DEMUXER) += libnut.o
++OBJS-$(CONFIG_LIBNUT_MUXER) += libnut.o
+
+ # protocols I/O
+ OBJS+= avio.o aviobuf.o
+diff --git a/libavformat/avformat.h b/libavformat/avformat.h
+index 71aed80..22a89d3 100644
+--- a/libavformat/avformat.h
++++ b/libavformat/avformat.h
+@@ -1996,6 +1996,30 @@ int av_match_ext(const char *filename, const char *extensions);
+ int avformat_query_codec(AVOutputFormat *ofmt, enum CodecID codec_id, int std_compliance);
+
+ /**
++ * @defgroup riff_fourcc RIFF FourCCs
++ * @{
++ * Get the tables mapping RIFF FourCCs to libavcodec CodecIDs. The tables are
++ * meant to be passed to av_codec_get_id()/av_codec_get_tag() as in the
++ * following code:
++ * @code
++ * uint32_t tag = MKTAG('H', '2', '6', '4');
++ * const struct AVCodecTag *table[] = { avformat_get_riff_video_tags(), 0 };
++ * enum CodecID id = av_codec_get_id(table, tag);
++ * @endcode
++ */
++/**
++ * @return the table mapping RIFF FourCCs for video to libavcodec CodecID.
++ */
++const struct AVCodecTag *avformat_get_riff_video_tags(void);
++/**
++ * @return the table mapping RIFF FourCCs for audio to CodecID.
++ */
++const struct AVCodecTag *avformat_get_riff_audio_tags(void);
++/**
++ * @}
++ */
++
++/**
+ * @}
+ */
+
+diff --git a/libavformat/utils.c b/libavformat/utils.c
+index e6b4f40..0c355ce 100644
+--- a/libavformat/utils.c
++++ b/libavformat/utils.c
+@@ -4107,3 +4107,12 @@ int ff_add_param_change(AVPacket *pkt, int32_t channels,
+ }
+ return 0;
+ }
++
++const struct AVCodecTag *avformat_get_riff_video_tags(void)
++{
++ return ff_codec_bmp_tags;
++}
++const struct AVCodecTag *avformat_get_riff_audio_tags(void)
++{
++ return ff_codec_wav_tags;
++}
+diff --git a/libavformat/version.h b/libavformat/version.h
+index cd774fb..009a60b 100644
+--- a/libavformat/version.h
++++ b/libavformat/version.h
+@@ -30,7 +30,7 @@
+ #include "libavutil/avutil.h"
+
+ #define LIBAVFORMAT_VERSION_MAJOR 53
+-#define LIBAVFORMAT_VERSION_MINOR 20
++#define LIBAVFORMAT_VERSION_MINOR 21
+ #define LIBAVFORMAT_VERSION_MICRO 0
+
+ #define LIBAVFORMAT_VERSION_INT AV_VERSION_INT(LIBAVFORMAT_VERSION_MAJOR, \
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0055-asf-error-out-on-ridiculously-large-minpktsize-value.patch b/debian/patches/post-0.8/0055-asf-error-out-on-ridiculously-large-minpktsize-value.patch
new file mode 100644
index 0000000..76a44ff
--- /dev/null
+++ b/debian/patches/post-0.8/0055-asf-error-out-on-ridiculously-large-minpktsize-value.patch
@@ -0,0 +1,44 @@
+From 1c63d613721f9fb05dcf1646d00aabf5f63695eb Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Fri, 17 Feb 2012 12:21:22 -0800
+Subject: [PATCH 55/80] asf: error out on ridiculously large minpktsize
+ values.
+
+They cause various issues further down in demuxing.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 6e57a02b9f639af53acfa9fc742c1341400818f8)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavformat/asfdec.c | 6 +++++-
+ 1 files changed, 5 insertions(+), 1 deletions(-)
+
+diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c
+index eb93f14..1fbe79b 100644
+--- a/libavformat/asfdec.c
++++ b/libavformat/asfdec.c
+@@ -202,6 +202,8 @@ static int asf_read_file_properties(AVFormatContext *s, int64_t size)
+ asf->hdr.flags = avio_rl32(pb);
+ asf->hdr.min_pktsize = avio_rl32(pb);
+ asf->hdr.max_pktsize = avio_rl32(pb);
++ if (asf->hdr.min_pktsize >= (1U<<29))
++ return AVERROR_INVALIDDATA;
+ asf->hdr.max_bitrate = avio_rl32(pb);
+ s->packet_size = asf->hdr.max_pktsize;
+
+@@ -616,7 +618,9 @@ static int asf_read_header(AVFormatContext *s, AVFormatParameters *ap)
+ if (gsize < 24)
+ return -1;
+ if (!ff_guidcmp(&g, &ff_asf_file_header)) {
+- asf_read_file_properties(s, gsize);
++ int ret = asf_read_file_properties(s, gsize);
++ if (ret < 0)
++ return ret;
+ } else if (!ff_guidcmp(&g, &ff_asf_stream_header)) {
+ asf_read_stream_properties(s, gsize);
+ } else if (!ff_guidcmp(&g, &ff_asf_comment_header)) {
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0056-asf-don-t-seek-back-on-EOF.patch b/debian/patches/post-0.8/0056-asf-don-t-seek-back-on-EOF.patch
new file mode 100644
index 0000000..958b209
--- /dev/null
+++ b/debian/patches/post-0.8/0056-asf-don-t-seek-back-on-EOF.patch
@@ -0,0 +1,34 @@
+From 40ccc811461c2c5f7999200315f9e2a563807147 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Tue, 28 Feb 2012 16:13:46 -0800
+Subject: [PATCH 56/80] asf: don't seek back on EOF.
+
+Seeking back on EOF will reset the EOF flag, causing us to re-enter
+the loop to find the next marker in the ASF file, thus potentially
+causing an infinite loop.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit bb6d5411e1e1a8e0608b1af1c4addee654dcbac5)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavformat/asfdec.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/libavformat/asfdec.c b/libavformat/asfdec.c
+index 1fbe79b..969ab28 100644
+--- a/libavformat/asfdec.c
++++ b/libavformat/asfdec.c
+@@ -761,7 +761,7 @@ static int ff_asf_get_packet(AVFormatContext *s, AVIOContext *pb)
+ c= avio_r8(pb);
+ d= avio_r8(pb);
+ rsize+=3;
+- }else{
++ } else if (!pb->eof_reached) {
+ avio_seek(pb, -1, SEEK_CUR); //FIXME
+ }
+
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0057-vp56-error-out-on-invalid-stream-dimensions.patch b/debian/patches/post-0.8/0057-vp56-error-out-on-invalid-stream-dimensions.patch
new file mode 100644
index 0000000..bf836a8
--- /dev/null
+++ b/debian/patches/post-0.8/0057-vp56-error-out-on-invalid-stream-dimensions.patch
@@ -0,0 +1,60 @@
+From b2dcac7141a2fb72074679efbefcb4d8bef24c41 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Thu, 23 Feb 2012 11:19:33 -0800
+Subject: [PATCH 57/80] vp56: error out on invalid stream dimensions.
+
+Prevents crashes when playing corrupt vp5/6 streams.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 8bc396fc0e8769a056375c1c211f389ce0e3ecc5)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/vp5.c | 5 +++++
+ libavcodec/vp6.c | 6 +++++-
+ 2 files changed, 10 insertions(+), 1 deletions(-)
+
+diff --git a/libavcodec/vp5.c b/libavcodec/vp5.c
+index 56f667c..1c6eaa9 100644
+--- a/libavcodec/vp5.c
++++ b/libavcodec/vp5.c
+@@ -57,6 +57,11 @@ static int vp5_parse_header(VP56Context *s, const uint8_t *buf, int buf_size,
+ }
+ rows = vp56_rac_gets(c, 8); /* number of stored macroblock rows */
+ cols = vp56_rac_gets(c, 8); /* number of stored macroblock cols */
++ if (!rows || !cols) {
++ av_log(s->avctx, AV_LOG_ERROR, "Invalid size %dx%d\n",
++ cols << 4, rows << 4);
++ return 0;
++ }
+ vp56_rac_gets(c, 8); /* number of displayed macroblock rows */
+ vp56_rac_gets(c, 8); /* number of displayed macroblock cols */
+ vp56_rac_gets(c, 2);
+diff --git a/libavcodec/vp6.c b/libavcodec/vp6.c
+index 9433983..e4783c6 100644
+--- a/libavcodec/vp6.c
++++ b/libavcodec/vp6.c
+@@ -77,6 +77,10 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size,
+ cols = buf[3]; /* number of stored macroblock cols */
+ /* buf[4] is number of displayed macroblock rows */
+ /* buf[5] is number of displayed macroblock cols */
++ if (!rows || !cols) {
++ av_log(s->avctx, AV_LOG_ERROR, "Invalid size %dx%d\n", cols << 4, rows << 4);
++ return 0;
++ }
+
+ if (!s->macroblocks || /* first frame */
+ 16*cols != s->avctx->coded_width ||
+@@ -97,7 +101,7 @@ static int vp6_parse_header(VP56Context *s, const uint8_t *buf, int buf_size,
+ vrt_shift = 5;
+ s->sub_version = sub_version;
+ } else {
+- if (!s->sub_version)
++ if (!s->sub_version || !s->avctx->coded_width || !s->avctx->coded_height)
+ return 0;
+
+ if (separated_coeff || !s->filter_header) {
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0058-swscale-fix-another-integer-overflow.patch b/debian/patches/post-0.8/0058-swscale-fix-another-integer-overflow.patch
new file mode 100644
index 0000000..db7c18a
--- /dev/null
+++ b/debian/patches/post-0.8/0058-swscale-fix-another-integer-overflow.patch
@@ -0,0 +1,30 @@
+From 5f896773e07126dd66f5b83e604e99adb30617cb Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Tue, 28 Feb 2012 18:21:31 -0800
+Subject: [PATCH 58/80] swscale: fix another integer overflow.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 791de61bbb0d2bceb1037597b310e2a4a94494fd)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libswscale/utils.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/libswscale/utils.c b/libswscale/utils.c
+index 2d7029e..51bc384 100644
+--- a/libswscale/utils.c
++++ b/libswscale/utils.c
+@@ -1013,7 +1013,7 @@ int sws_init_context(SwsContext *c, SwsFilter *srcFilter, SwsFilter *dstFilter)
+ c->vLumBufSize= c->vLumFilterSize;
+ c->vChrBufSize= c->vChrFilterSize;
+ for (i=0; i<dstH; i++) {
+- int chrI= i*c->chrDstH / dstH;
++ int chrI = (int64_t) i * c->chrDstH / dstH;
+ int nextSlice= FFMAX(c->vLumFilterPos[i ] + c->vLumFilterSize - 1,
+ ((c->vChrFilterPos[chrI] + c->vChrFilterSize - 1)<<c->chrSrcVSubSample));
+
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0059-qtrle-return-error-on-decode_init-failure.patch b/debian/patches/post-0.8/0059-qtrle-return-error-on-decode_init-failure.patch
new file mode 100644
index 0000000..48b9fb1
--- /dev/null
+++ b/debian/patches/post-0.8/0059-qtrle-return-error-on-decode_init-failure.patch
@@ -0,0 +1,30 @@
+From e904e9b7204b6ebd3433dd49a6c978ffb293cbdc Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Tue, 28 Feb 2012 19:00:39 -0800
+Subject: [PATCH 59/80] qtrle: return error on decode_init() failure.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit e54ae60e46f737b8e9a96548971091f7ab6b8f7c)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/qtrle.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/libavcodec/qtrle.c b/libavcodec/qtrle.c
+index 0c74798..6e7b3c2 100644
+--- a/libavcodec/qtrle.c
++++ b/libavcodec/qtrle.c
+@@ -407,7 +407,7 @@ static av_cold int qtrle_decode_init(AVCodecContext *avctx)
+ default:
+ av_log (avctx, AV_LOG_ERROR, "Unsupported colorspace: %d bits/sample?\n",
+ avctx->bits_per_coded_sample);
+- break;
++ return AVERROR_INVALIDDATA;
+ }
+
+ s->frame.data[0] = NULL;
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0060-rpza-error-out-on-buffer-overreads.patch b/debian/patches/post-0.8/0060-rpza-error-out-on-buffer-overreads.patch
new file mode 100644
index 0000000..78fb061
--- /dev/null
+++ b/debian/patches/post-0.8/0060-rpza-error-out-on-buffer-overreads.patch
@@ -0,0 +1,39 @@
+From 4493af756b8f8346b1e7671b487afc34c72bc16e Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Tue, 28 Feb 2012 17:04:33 -0800
+Subject: [PATCH 60/80] rpza: error out on buffer overreads.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 78e9852a2e3b198ecd69ffa0deab3fa22a8e5378)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/rpza.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/rpza.c b/libavcodec/rpza.c
+index 7350ef2..59c3a7b 100644
+--- a/libavcodec/rpza.c
++++ b/libavcodec/rpza.c
+@@ -183,6 +183,8 @@ static void rpza_decode_stream(RpzaContext *s)
+ color4[1] |= ((11 * ta + 21 * tb) >> 5);
+ color4[2] |= ((21 * ta + 11 * tb) >> 5);
+
++ if (s->size - stream_ptr < n_blocks * 4)
++ return;
+ while (n_blocks--) {
+ block_ptr = row_ptr + pixel_ptr;
+ for (pixel_y = 0; pixel_y < 4; pixel_y++) {
+@@ -200,6 +202,8 @@ static void rpza_decode_stream(RpzaContext *s)
+
+ /* Fill block with 16 colors */
+ case 0x00:
++ if (s->size - stream_ptr < 16)
++ return;
+ block_ptr = row_ptr + pixel_ptr;
+ for (pixel_y = 0; pixel_y < 4; pixel_y++) {
+ for (pixel_x = 0; pixel_x < 4; pixel_x++){
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0061-vmnc-return-error-on-decode_init-failure.patch b/debian/patches/post-0.8/0061-vmnc-return-error-on-decode_init-failure.patch
new file mode 100644
index 0000000..b73d433
--- /dev/null
+++ b/debian/patches/post-0.8/0061-vmnc-return-error-on-decode_init-failure.patch
@@ -0,0 +1,29 @@
+From 1dd1ee00d54ba2a9f5d8ae2e82a22891300b6807 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Tue, 28 Feb 2012 19:00:48 -0800
+Subject: [PATCH 61/80] vmnc: return error on decode_init() failure.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 07a180972fb369bb59bf6d4f8edb4598c51e80d2)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/vmnc.c | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/vmnc.c b/libavcodec/vmnc.c
+index a72c507..ca0ba82 100644
+--- a/libavcodec/vmnc.c
++++ b/libavcodec/vmnc.c
+@@ -483,6 +483,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
+ break;
+ default:
+ av_log(avctx, AV_LOG_ERROR, "Unsupported bitdepth %i\n", c->bpp);
++ return AVERROR_INVALIDDATA;
+ }
+
+ return 0;
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0062-huffyuv-do-not-abort-on-unknown-pix_fmt-instead-retu.patch b/debian/patches/post-0.8/0062-huffyuv-do-not-abort-on-unknown-pix_fmt-instead-retu.patch
new file mode 100644
index 0000000..a9bab2f
--- /dev/null
+++ b/debian/patches/post-0.8/0062-huffyuv-do-not-abort-on-unknown-pix_fmt-instead-retu.patch
@@ -0,0 +1,31 @@
+From a63f3f714c014b3fcaffd45943bc089167b3fe61 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Thu, 1 Mar 2012 09:41:22 -0800
+Subject: [PATCH 62/80] huffyuv: do not abort on unknown pix_fmt; instead,
+ return an error.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 63c9de6469005974288f4e4d89fc79a590e38c06)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/huffyuv.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/libavcodec/huffyuv.c b/libavcodec/huffyuv.c
+index efa87de..412fe4b 100644
+--- a/libavcodec/huffyuv.c
++++ b/libavcodec/huffyuv.c
+@@ -514,7 +514,7 @@ s->bgr32=1;
+ }
+ break;
+ default:
+- assert(0);
++ return AVERROR_INVALIDDATA;
+ }
+
+ alloc_temp(s);
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0063-h264-error-out-on-invalid-bitdepth.patch b/debian/patches/post-0.8/0063-h264-error-out-on-invalid-bitdepth.patch
new file mode 100644
index 0000000..3a1845e
--- /dev/null
+++ b/debian/patches/post-0.8/0063-h264-error-out-on-invalid-bitdepth.patch
@@ -0,0 +1,69 @@
+From 750f5baf3036d5a4c488a60d1cd6e872e4a871c4 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Thu, 1 Mar 2012 11:56:05 -0800
+Subject: [PATCH 63/80] h264: error out on invalid bitdepth.
+
+Fixes invalid reads while initializing the dequant tables, which uses
+the bit depth to determine the QP table size.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 0ce4fe482c27abfa7eac503a52fdc50b70ccd871)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/h264.c | 17 +++++++++++------
+ 1 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/libavcodec/h264.c b/libavcodec/h264.c
+index e92acbd..449c634 100644
+--- a/libavcodec/h264.c
++++ b/libavcodec/h264.c
+@@ -2707,11 +2707,6 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
+ s->avctx->level = h->sps.level_idc;
+ s->avctx->refs = h->sps.ref_frame_count;
+
+- if(h == h0 && h->dequant_coeff_pps != pps_id){
+- h->dequant_coeff_pps = pps_id;
+- init_dequant_tables(h);
+- }
+-
+ s->mb_width= h->sps.mb_width;
+ s->mb_height= h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag);
+
+@@ -2786,7 +2781,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
+ else
+ s->avctx->pix_fmt = PIX_FMT_YUV420P10;
+ break;
+- default:
++ case 8:
+ if (CHROMA444){
+ if (s->avctx->colorspace == AVCOL_SPC_RGB) {
+ s->avctx->pix_fmt = PIX_FMT_GBRP;
+@@ -2802,6 +2797,11 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
+ hwaccel_pixfmt_list_h264_jpeg_420 :
+ ff_hwaccel_pixfmt_list_420);
+ }
++ break;
++ default:
++ av_log(s->avctx, AV_LOG_ERROR,
++ "Unsupported bit depth: %d\n", h->sps.bit_depth_luma);
++ return AVERROR_INVALIDDATA;
+ }
+
+ s->avctx->hwaccel = ff_find_hwaccel(s->avctx->codec->id, s->avctx->pix_fmt);
+@@ -2846,6 +2846,11 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
+ }
+ }
+
++ if(h == h0 && h->dequant_coeff_pps != pps_id){
++ h->dequant_coeff_pps = pps_id;
++ init_dequant_tables(h);
++ }
++
+ h->frame_num= get_bits(&s->gb, h->sps.log2_max_frame_num);
+
+ h->mb_mbaff = 0;
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0064-avutil-add-AVERROR_UNKNOWN.patch b/debian/patches/post-0.8/0064-avutil-add-AVERROR_UNKNOWN.patch
new file mode 100644
index 0000000..cf87784
--- /dev/null
+++ b/debian/patches/post-0.8/0064-avutil-add-AVERROR_UNKNOWN.patch
@@ -0,0 +1,76 @@
+From 7f3f85544ca7804fde2210c129a4458536330dc6 Mon Sep 17 00:00:00 2001
+From: Justin Ruggles <justin.ruggles at gmail.com>
+Date: Fri, 24 Feb 2012 23:27:14 -0500
+Subject: [PATCH 64/80] avutil: add AVERROR_UNKNOWN
+
+Useful to return instead of -1 when the cause of the error is unknown,
+typically from an external library.
+(cherry picked from commit c9bca801324f03746757aef8549ebd26599adec2)
+
+Conflicts:
+
+ doc/APIchanges
+ libavutil/avutil.h
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ doc/APIchanges | 3 +++
+ libavutil/avutil.h | 2 +-
+ libavutil/error.c | 1 +
+ libavutil/error.h | 1 +
+ 4 files changed, 6 insertions(+), 1 deletions(-)
+
+diff --git a/doc/APIchanges b/doc/APIchanges
+index 58186a0..78e37f4 100644
+--- a/doc/APIchanges
++++ b/doc/APIchanges
+@@ -13,6 +13,9 @@ libavutil: 2011-04-18
+
+ API changes, most recent first:
+
++2012-03-04 - xxxxxxx - lavu 51.22.1 - error.h
++ Add AVERROR_UNKNOWN
++
+ 2012-02-29 - xxxxxxx - lavf 53.21.0
+ Add avformat_get_riff_video_tags() and avformat_get_riff_audio_tags().
+
+diff --git a/libavutil/avutil.h b/libavutil/avutil.h
+index 0e62b4a..05e9248 100644
+--- a/libavutil/avutil.h
++++ b/libavutil/avutil.h
+@@ -155,7 +155,7 @@
+
+ #define LIBAVUTIL_VERSION_MAJOR 51
+ #define LIBAVUTIL_VERSION_MINOR 22
+-#define LIBAVUTIL_VERSION_MICRO 0
++#define LIBAVUTIL_VERSION_MICRO 1
+
+ #define LIBAVUTIL_VERSION_INT AV_VERSION_INT(LIBAVUTIL_VERSION_MAJOR, \
+ LIBAVUTIL_VERSION_MINOR, \
+diff --git a/libavutil/error.c b/libavutil/error.c
+index a330e9f..21b6876 100644
+--- a/libavutil/error.c
++++ b/libavutil/error.c
+@@ -39,6 +39,7 @@ int av_strerror(int errnum, char *errbuf, size_t errbuf_size)
+ case AVERROR_PROTOCOL_NOT_FOUND:errstr = "Protocol not found" ; break;
+ case AVERROR_STREAM_NOT_FOUND: errstr = "Stream not found" ; break;
+ case AVERROR_BUG: errstr = "Bug detected, please report the issue" ; break;
++ case AVERROR_UNKNOWN: errstr = "Unknown error occurred" ; break;
+ }
+
+ if (errstr) {
+diff --git a/libavutil/error.h b/libavutil/error.h
+index 2db65cb..11bcc5c 100644
+--- a/libavutil/error.h
++++ b/libavutil/error.h
+@@ -58,6 +58,7 @@
+ #define AVERROR_PROTOCOL_NOT_FOUND (-MKTAG(0xF8,'P','R','O')) ///< Protocol not found
+ #define AVERROR_STREAM_NOT_FOUND (-MKTAG(0xF8,'S','T','R')) ///< Stream not found
+ #define AVERROR_BUG (-MKTAG( 'B','U','G',' ')) ///< Bug detected, please report the issue
++#define AVERROR_UNKNOWN (-MKTAG( 'U','N','K','N')) ///< Unknown error, typically from an external library
+
+ /**
+ * Put a description of the AVERROR code errnum in errbuf.
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0065-lcl-return-negative-error-codes-on-decode_init-error.patch b/debian/patches/post-0.8/0065-lcl-return-negative-error-codes-on-decode_init-error.patch
new file mode 100644
index 0000000..5e38a1d
--- /dev/null
+++ b/debian/patches/post-0.8/0065-lcl-return-negative-error-codes-on-decode_init-error.patch
@@ -0,0 +1,84 @@
+From 7e88df99e1d26accc56b0da52d271a57995ecde7 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Wed, 29 Feb 2012 17:50:28 -0800
+Subject: [PATCH 65/80] lcl: return negative error codes on decode_init()
+ errors.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit bd17a40a7e0eba21b5d27c67aff795e2910766e4)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/lcldec.c | 14 +++++++-------
+ 1 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/libavcodec/lcldec.c b/libavcodec/lcldec.c
+index 5b18418..679824c 100644
+--- a/libavcodec/lcldec.c
++++ b/libavcodec/lcldec.c
+@@ -476,7 +476,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
+
+ if (avctx->extradata_size < 8) {
+ av_log(avctx, AV_LOG_ERROR, "Extradata size too small.\n");
+- return 1;
++ return AVERROR_INVALIDDATA;
+ }
+
+ /* Check codec type */
+@@ -525,7 +525,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
+ break;
+ default:
+ av_log(avctx, AV_LOG_ERROR, "Unsupported image format %d.\n", c->imgtype);
+- return 1;
++ return AVERROR_INVALIDDATA;
+ }
+
+ /* Detect compression method */
+@@ -542,7 +542,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
+ break;
+ default:
+ av_log(avctx, AV_LOG_ERROR, "Unsupported compression format for MSZH (%d).\n", c->compression);
+- return 1;
++ return AVERROR_INVALIDDATA;
+ }
+ break;
+ #if CONFIG_ZLIB_DECODER
+@@ -560,7 +560,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
+ default:
+ if (c->compression < Z_NO_COMPRESSION || c->compression > Z_BEST_COMPRESSION) {
+ av_log(avctx, AV_LOG_ERROR, "Unsupported compression level for ZLIB: (%d).\n", c->compression);
+- return 1;
++ return AVERROR_INVALIDDATA;
+ }
+ av_log(avctx, AV_LOG_DEBUG, "Compression level for ZLIB: (%d).\n", c->compression);
+ }
+@@ -568,14 +568,14 @@ static av_cold int decode_init(AVCodecContext *avctx)
+ #endif
+ default:
+ av_log(avctx, AV_LOG_ERROR, "BUG! Unknown codec in compression switch.\n");
+- return 1;
++ return AVERROR_INVALIDDATA;
+ }
+
+ /* Allocate decompression buffer */
+ if (c->decomp_size) {
+ if ((c->decomp_buf = av_malloc(max_decomp_size)) == NULL) {
+ av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n");
+- return 1;
++ return AVERROR(ENOMEM);
+ }
+ }
+
+@@ -601,7 +601,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
+ if (zret != Z_OK) {
+ av_log(avctx, AV_LOG_ERROR, "Inflate init error: %d\n", zret);
+ av_freep(&c->decomp_buf);
+- return 1;
++ return AVERROR_UNKNOWN;
+ }
+ }
+ #endif
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0066-rv10-20-Fix-a-buffer-overread-caused-by-losing-track.patch b/debian/patches/post-0.8/0066-rv10-20-Fix-a-buffer-overread-caused-by-losing-track.patch
new file mode 100644
index 0000000..2013850
--- /dev/null
+++ b/debian/patches/post-0.8/0066-rv10-20-Fix-a-buffer-overread-caused-by-losing-track.patch
@@ -0,0 +1,44 @@
+From 19da1a39e861968c27504b67d481d32339669e2a Mon Sep 17 00:00:00 2001
+From: Alex Converse <alex.converse at gmail.com>
+Date: Thu, 1 Mar 2012 14:07:22 -0800
+Subject: [PATCH 66/80] rv10/20: Fix a buffer overread caused by losing track
+ of the remaining buffer size.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 2f6528537fdd88820f3a4683d5e595d7b3a62689)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/rv10.c | 6 +++++-
+ 1 files changed, 5 insertions(+), 1 deletions(-)
+
+diff --git a/libavcodec/rv10.c b/libavcodec/rv10.c
+index ccc0944..d7d7ed2 100644
+--- a/libavcodec/rv10.c
++++ b/libavcodec/rv10.c
+@@ -642,8 +642,12 @@ static int rv10_decode_frame(AVCodecContext *avctx,
+
+ if(!avctx->slice_count){
+ slice_count = (*buf++) + 1;
++ buf_size--;
+ slices_hdr = buf + 4;
+ buf += 8 * slice_count;
++ buf_size -= 8 * slice_count;
++ if (buf_size <= 0)
++ return AVERROR_INVALIDDATA;
+ }else
+ slice_count = avctx->slice_count;
+
+@@ -682,7 +686,7 @@ static int rv10_decode_frame(AVCodecContext *avctx,
+ s->current_picture_ptr= NULL; //so we can detect if frame_end wasnt called (find some nicer solution...)
+ }
+
+- return buf_size;
++ return avpkt->size;
+ }
+
+ AVCodec ff_rv10_decoder = {
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0067-wmadec-Verify-bitstream-size-makes-sense-before-call.patch b/debian/patches/post-0.8/0067-wmadec-Verify-bitstream-size-makes-sense-before-call.patch
new file mode 100644
index 0000000..8bb0741
--- /dev/null
+++ b/debian/patches/post-0.8/0067-wmadec-Verify-bitstream-size-makes-sense-before-call.patch
@@ -0,0 +1,30 @@
+From fecd7468fcbf9115afdd8bf3dc3d08da0975e4d8 Mon Sep 17 00:00:00 2001
+From: Alex Converse <alex.converse at gmail.com>
+Date: Fri, 27 Jan 2012 14:24:07 -0800
+Subject: [PATCH 67/80] wmadec: Verify bitstream size makes sense before
+ calling init_get_bits.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+(cherry picked from commit 48f1e5212c90b511c90fa0449655abb06a9edda2)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/wmadec.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c
+index afc0658..b9fc21f 100644
+--- a/libavcodec/wmadec.c
++++ b/libavcodec/wmadec.c
+@@ -877,6 +877,8 @@ static int wma_decode_superframe(AVCodecContext *avctx, void *data,
+
+ /* read each frame starting from bit_offset */
+ pos = bit_offset + 4 + 4 + s->byte_offset_bits + 3;
++ if (pos >= MAX_CODED_SUPERFRAME_SIZE * 8)
++ return AVERROR_INVALIDDATA;
+ init_get_bits(&s->gb, buf + (pos >> 3), (MAX_CODED_SUPERFRAME_SIZE - (pos >> 3))*8);
+ len = pos & 7;
+ if (len > 0)
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0068-wma-fix-invalid-buffer-size-assumptions-causing-rand.patch b/debian/patches/post-0.8/0068-wma-fix-invalid-buffer-size-assumptions-causing-rand.patch
new file mode 100644
index 0000000..225682e
--- /dev/null
+++ b/debian/patches/post-0.8/0068-wma-fix-invalid-buffer-size-assumptions-causing-rand.patch
@@ -0,0 +1,73 @@
+From b863979c0f36b565857c49cf6297810e22a9ba10 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Thu, 1 Mar 2012 16:19:51 -0800
+Subject: [PATCH 68/80] wma: fix invalid buffer size assumptions causing
+ random overreads.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 349b7977e408f18cff01ab31dfa66c8249b6584a)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/wma.h | 2 +-
+ libavcodec/wmadec.c | 13 ++++++++++---
+ 2 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/libavcodec/wma.h b/libavcodec/wma.h
+index 4acbf04..d6f4880 100644
+--- a/libavcodec/wma.h
++++ b/libavcodec/wma.h
+@@ -124,7 +124,7 @@ typedef struct WMACodecContext {
+ /* output buffer for one frame and the last for IMDCT windowing */
+ DECLARE_ALIGNED(32, float, frame_out)[MAX_CHANNELS][BLOCK_MAX_SIZE * 2];
+ /* last frame info */
+- uint8_t last_superframe[MAX_CODED_SUPERFRAME_SIZE + 4]; /* padding added */
++ uint8_t last_superframe[MAX_CODED_SUPERFRAME_SIZE + FF_INPUT_BUFFER_PADDING_SIZE]; /* padding added */
+ int last_bitoffset;
+ int last_superframe_len;
+ float noise_table[NOISE_TAB_SIZE];
+diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c
+index b9fc21f..37feca1 100644
+--- a/libavcodec/wmadec.c
++++ b/libavcodec/wmadec.c
+@@ -845,6 +845,12 @@ static int wma_decode_superframe(AVCodecContext *avctx, void *data,
+
+ if (s->use_bit_reservoir) {
+ bit_offset = get_bits(&s->gb, s->byte_offset_bits + 3);
++ if (bit_offset > get_bits_left(&s->gb)) {
++ av_log(avctx, AV_LOG_ERROR,
++ "Invalid last frame bit offset %d > buf size %d (%d)\n",
++ bit_offset, get_bits_left(&s->gb), buf_size);
++ goto fail;
++ }
+
+ if (s->last_superframe_len > 0) {
+ // printf("skip=%d\n", s->last_bitoffset);
+@@ -861,9 +867,10 @@ static int wma_decode_superframe(AVCodecContext *avctx, void *data,
+ if (len > 0) {
+ *q++ = (get_bits)(&s->gb, len) << (8 - len);
+ }
++ memset(q, 0, FF_INPUT_BUFFER_PADDING_SIZE);
+
+ /* XXX: bit_offset bits into last frame */
+- init_get_bits(&s->gb, s->last_superframe, MAX_CODED_SUPERFRAME_SIZE*8);
++ init_get_bits(&s->gb, s->last_superframe, s->last_superframe_len * 8 + bit_offset);
+ /* skip unused bits */
+ if (s->last_bitoffset > 0)
+ skip_bits(&s->gb, s->last_bitoffset);
+@@ -877,9 +884,9 @@ static int wma_decode_superframe(AVCodecContext *avctx, void *data,
+
+ /* read each frame starting from bit_offset */
+ pos = bit_offset + 4 + 4 + s->byte_offset_bits + 3;
+- if (pos >= MAX_CODED_SUPERFRAME_SIZE * 8)
++ if (pos >= MAX_CODED_SUPERFRAME_SIZE * 8 || pos > buf_size * 8)
+ return AVERROR_INVALIDDATA;
+- init_get_bits(&s->gb, buf + (pos >> 3), (MAX_CODED_SUPERFRAME_SIZE - (pos >> 3))*8);
++ init_get_bits(&s->gb, buf + (pos >> 3), (buf_size - (pos >> 3))*8);
+ len = pos & 7;
+ if (len > 0)
+ skip_bits(&s->gb, len);
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0069-matroska-check-buffer-size-for-RM-style-byte-reorder.patch b/debian/patches/post-0.8/0069-matroska-check-buffer-size-for-RM-style-byte-reorder.patch
new file mode 100644
index 0000000..6a7bed7
--- /dev/null
+++ b/debian/patches/post-0.8/0069-matroska-check-buffer-size-for-RM-style-byte-reorder.patch
@@ -0,0 +1,57 @@
+From 9686a2c2cfdb103784bd9153042da4f9656b56c6 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Thu, 1 Mar 2012 17:01:22 -0800
+Subject: [PATCH 69/80] matroska: check buffer size for RM-style byte
+ reordering.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 9c239f6026a170866a4a0c96908980ac2cfaa8b3)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavformat/matroskadec.c | 22 +++++++++++++++++++---
+ 1 files changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
+index 1987b50..59e0e1f 100644
+--- a/libavformat/matroskadec.c
++++ b/libavformat/matroskadec.c
+@@ -1808,15 +1808,31 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
+ if (!track->audio.pkt_cnt) {
+ if (track->audio.sub_packet_cnt == 0)
+ track->audio.buf_timecode = timecode;
+- if (st->codec->codec_id == CODEC_ID_RA_288)
++ if (st->codec->codec_id == CODEC_ID_RA_288) {
++ if (size < cfs * h / 2) {
++ av_log(matroska->ctx, AV_LOG_ERROR,
++ "Corrupt int4 RM-style audio packet size\n");
++ return AVERROR_INVALIDDATA;
++ }
+ for (x=0; x<h/2; x++)
+ memcpy(track->audio.buf+x*2*w+y*cfs,
+ data+x*cfs, cfs);
+- else if (st->codec->codec_id == CODEC_ID_SIPR)
++ } else if (st->codec->codec_id == CODEC_ID_SIPR) {
++ if (size < w) {
++ av_log(matroska->ctx, AV_LOG_ERROR,
++ "Corrupt sipr RM-style audio packet size\n");
++ return AVERROR_INVALIDDATA;
++ }
+ memcpy(track->audio.buf + y*w, data, w);
+- else
++ } else {
++ if (size < sps * w / sps) {
++ av_log(matroska->ctx, AV_LOG_ERROR,
++ "Corrupt generic RM-style audio packet size\n");
++ return AVERROR_INVALIDDATA;
++ }
+ for (x=0; x<w/sps; x++)
+ memcpy(track->audio.buf+sps*(h*x+((h+1)/2)*(y&1)+(y>>1)), data+x*sps, sps);
++ }
+
+ if (++track->audio.sub_packet_cnt >= h) {
+ if (st->codec->codec_id == CODEC_ID_SIPR)
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0070-amrwb-error-out-early-if-mode-is-invalid.patch b/debian/patches/post-0.8/0070-amrwb-error-out-early-if-mode-is-invalid.patch
new file mode 100644
index 0000000..7e20b1a
--- /dev/null
+++ b/debian/patches/post-0.8/0070-amrwb-error-out-early-if-mode-is-invalid.patch
@@ -0,0 +1,56 @@
+From de2656ec2518cae65a2b2823470a3ebe15934ba9 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Thu, 1 Mar 2012 13:51:21 -0800
+Subject: [PATCH 70/80] amrwb: error out early if mode is invalid.
+
+Prevents using the invalid mode as an index in a static array, which
+would generate invalid reads.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 154b8bb80029e71d562e8936164266300dd35a0e)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/amrwbdec.c | 12 ++++++++----
+ 1 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c
+index 6ea5d22..0ebaf47 100644
+--- a/libavcodec/amrwbdec.c
++++ b/libavcodec/amrwbdec.c
+@@ -1095,23 +1095,27 @@ static int amrwb_decode_frame(AVCodecContext *avctx, void *data,
+ buf_out = (float *)ctx->avframe.data[0];
+
+ header_size = decode_mime_header(ctx, buf);
++ if (ctx->fr_cur_mode > MODE_SID) {
++ av_log(avctx, AV_LOG_ERROR,
++ "Invalid mode %d\n", ctx->fr_cur_mode);
++ return AVERROR_INVALIDDATA;
++ }
+ expected_fr_size = ((cf_sizes_wb[ctx->fr_cur_mode] + 7) >> 3) + 1;
+
+ if (buf_size < expected_fr_size) {
+ av_log(avctx, AV_LOG_ERROR,
+ "Frame too small (%d bytes). Truncated file?\n", buf_size);
+ *got_frame_ptr = 0;
+- return buf_size;
++ return AVERROR_INVALIDDATA;
+ }
+
+ if (!ctx->fr_quality || ctx->fr_cur_mode > MODE_SID)
+ av_log(avctx, AV_LOG_ERROR, "Encountered a bad or corrupted frame\n");
+
+- if (ctx->fr_cur_mode == MODE_SID) /* Comfort noise frame */
++ if (ctx->fr_cur_mode == MODE_SID) { /* Comfort noise frame */
+ av_log_missing_feature(avctx, "SID mode", 1);
+-
+- if (ctx->fr_cur_mode >= MODE_SID)
+ return -1;
++ }
+
+ ff_amr_bit_reorder((uint16_t *) &ctx->frame, sizeof(AMRWBFrame),
+ buf + header_size, amr_bit_orderings_by_mode[ctx->fr_cur_mode]);
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0071-amrwb-remove-duplicate-arguments-from-extrapolate_is.patch b/debian/patches/post-0.8/0071-amrwb-remove-duplicate-arguments-from-extrapolate_is.patch
new file mode 100644
index 0000000..ebfe75c
--- /dev/null
+++ b/debian/patches/post-0.8/0071-amrwb-remove-duplicate-arguments-from-extrapolate_is.patch
@@ -0,0 +1,94 @@
+From 78d4f8cc56554e5d19c3f5688902278c3b795a04 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Thu, 1 Mar 2012 15:44:25 -0800
+Subject: [PATCH 71/80] amrwb: remove duplicate arguments from
+ extrapolate_isf().
+
+Prevents warnings because the dst and src overlap (are the same) in the
+memcpy() inside the function.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 9d87374ec0f382c8394ad511243db6980afa42af)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/amrwbdec.c | 25 ++++++++++++-------------
+ 1 files changed, 12 insertions(+), 13 deletions(-)
+
+diff --git a/libavcodec/amrwbdec.c b/libavcodec/amrwbdec.c
+index 0ebaf47..b9ae9ec 100644
+--- a/libavcodec/amrwbdec.c
++++ b/libavcodec/amrwbdec.c
+@@ -898,10 +898,10 @@ static float auto_correlation(float *diff_isf, float mean, int lag)
+ * Extrapolate a ISF vector to the 16kHz range (20th order LP)
+ * used at mode 6k60 LP filter for the high frequency band.
+ *
+- * @param[out] out Buffer for extrapolated isf
+- * @param[in] isf Input isf vector
++ * @param[out] isf Buffer for extrapolated isf; contains LP_ORDER
++ * values on input
+ */
+-static void extrapolate_isf(float out[LP_ORDER_16k], float isf[LP_ORDER])
++static void extrapolate_isf(float isf[LP_ORDER_16k])
+ {
+ float diff_isf[LP_ORDER - 2], diff_mean;
+ float *diff_hi = diff_isf - LP_ORDER + 1; // diff array for extrapolated indexes
+@@ -909,8 +909,7 @@ static void extrapolate_isf(float out[LP_ORDER_16k], float isf[LP_ORDER])
+ float est, scale;
+ int i, i_max_corr;
+
+- memcpy(out, isf, (LP_ORDER - 1) * sizeof(float));
+- out[LP_ORDER_16k - 1] = isf[LP_ORDER - 1];
++ isf[LP_ORDER_16k - 1] = isf[LP_ORDER - 1];
+
+ /* Calculate the difference vector */
+ for (i = 0; i < LP_ORDER - 2; i++)
+@@ -931,16 +930,16 @@ static void extrapolate_isf(float out[LP_ORDER_16k], float isf[LP_ORDER])
+ i_max_corr++;
+
+ for (i = LP_ORDER - 1; i < LP_ORDER_16k - 1; i++)
+- out[i] = isf[i - 1] + isf[i - 1 - i_max_corr]
++ isf[i] = isf[i - 1] + isf[i - 1 - i_max_corr]
+ - isf[i - 2 - i_max_corr];
+
+ /* Calculate an estimate for ISF(18) and scale ISF based on the error */
+- est = 7965 + (out[2] - out[3] - out[4]) / 6.0;
+- scale = 0.5 * (FFMIN(est, 7600) - out[LP_ORDER - 2]) /
+- (out[LP_ORDER_16k - 2] - out[LP_ORDER - 2]);
++ est = 7965 + (isf[2] - isf[3] - isf[4]) / 6.0;
++ scale = 0.5 * (FFMIN(est, 7600) - isf[LP_ORDER - 2]) /
++ (isf[LP_ORDER_16k - 2] - isf[LP_ORDER - 2]);
+
+ for (i = LP_ORDER - 1; i < LP_ORDER_16k - 1; i++)
+- diff_hi[i] = scale * (out[i] - out[i - 1]);
++ diff_hi[i] = scale * (isf[i] - isf[i - 1]);
+
+ /* Stability insurance */
+ for (i = LP_ORDER; i < LP_ORDER_16k - 1; i++)
+@@ -952,11 +951,11 @@ static void extrapolate_isf(float out[LP_ORDER_16k], float isf[LP_ORDER])
+ }
+
+ for (i = LP_ORDER - 1; i < LP_ORDER_16k - 1; i++)
+- out[i] = out[i - 1] + diff_hi[i] * (1.0f / (1 << 15));
++ isf[i] = isf[i - 1] + diff_hi[i] * (1.0f / (1 << 15));
+
+ /* Scale the ISF vector for 16000 Hz */
+ for (i = 0; i < LP_ORDER_16k - 1; i++)
+- out[i] *= 0.8;
++ isf[i] *= 0.8;
+ }
+
+ /**
+@@ -1003,7 +1002,7 @@ static void hb_synthesis(AMRWBContext *ctx, int subframe, float *samples,
+ ff_weighted_vector_sumf(e_isf, isf_past, isf, isfp_inter[subframe],
+ 1.0 - isfp_inter[subframe], LP_ORDER);
+
+- extrapolate_isf(e_isf, e_isf);
++ extrapolate_isf(e_isf);
+
+ e_isf[LP_ORDER_16k - 1] *= 2.0;
+ ff_acelp_lsf2lspd(e_isp, e_isf, LP_ORDER_16k);
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0072-mpegts-Pad-the-packet-buffer-in-handle_packet.patch b/debian/patches/post-0.8/0072-mpegts-Pad-the-packet-buffer-in-handle_packet.patch
new file mode 100644
index 0000000..56249d8
--- /dev/null
+++ b/debian/patches/post-0.8/0072-mpegts-Pad-the-packet-buffer-in-handle_packet.patch
@@ -0,0 +1,40 @@
+From 3f7e90cf0c12d739c5b9cd548c1916f23d691185 Mon Sep 17 00:00:00 2001
+From: Alex Converse <alex.converse at gmail.com>
+Date: Fri, 2 Mar 2012 10:13:07 -0800
+Subject: [PATCH 72/80] mpegts: Pad the packet buffer in handle_packet().
+
+This allows it to be used with get_bits without the thread of overreads.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 1aa708988ac131cf7d5c8bd59aca256a7c974df9)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavformat/mpegts.c | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c
+index 15688a9..85e0952 100644
+--- a/libavformat/mpegts.c
++++ b/libavformat/mpegts.c
+@@ -1772,7 +1772,7 @@ static int read_packet(AVFormatContext *s, uint8_t *buf, int raw_packet_size)
+ static int handle_packets(MpegTSContext *ts, int nb_packets)
+ {
+ AVFormatContext *s = ts->stream;
+- uint8_t packet[TS_PACKET_SIZE];
++ uint8_t packet[TS_PACKET_SIZE+FF_INPUT_BUFFER_PADDING_SIZE];
+ int packet_num, ret = 0;
+
+ if (avio_tell(s->pb) != ts->last_pos) {
+@@ -1794,6 +1794,7 @@ static int handle_packets(MpegTSContext *ts, int nb_packets)
+
+ ts->stop_parse = 0;
+ packet_num = 0;
++ memset(packet + TS_PACKET_SIZE, 0, FF_INPUT_BUFFER_PADDING_SIZE);
+ for(;;) {
+ if (ts->stop_parse>0)
+ break;
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0073-mpegts-Do-not-call-read_sl_header-when-no-bytes-rema.patch b/debian/patches/post-0.8/0073-mpegts-Do-not-call-read_sl_header-when-no-bytes-rema.patch
new file mode 100644
index 0000000..42ebed7
--- /dev/null
+++ b/debian/patches/post-0.8/0073-mpegts-Do-not-call-read_sl_header-when-no-bytes-rema.patch
@@ -0,0 +1,31 @@
+From b7c8fff80351249d448b93608bfac832c1ee3b4b Mon Sep 17 00:00:00 2001
+From: Alex Converse <alex.converse at gmail.com>
+Date: Fri, 2 Mar 2012 10:12:11 -0800
+Subject: [PATCH 73/80] mpegts: Do not call read_sl_header() when no bytes
+ remain in the buffer.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 4df369692ea8aee7094ac0f233cef8d1bee139a3)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavformat/mpegts.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c
+index 85e0952..cc36e65 100644
+--- a/libavformat/mpegts.c
++++ b/libavformat/mpegts.c
+@@ -889,7 +889,7 @@ static int mpegts_push_data(MpegTSFilter *filter,
+ /* we got the full header. We parse it and get the payload */
+ pes->state = MPEGTS_PAYLOAD;
+ pes->data_index = 0;
+- if (pes->stream_type == 0x12) {
++ if (pes->stream_type == 0x12 && buf_size > 0) {
+ int sl_header_bytes = read_sl_header(pes, &pes->sl, p, buf_size);
+ pes->pes_header_size += sl_header_bytes;
+ p += sl_header_bytes;
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0074-wmaenc-require-a-large-enough-output-buffer-to-preve.patch b/debian/patches/post-0.8/0074-wmaenc-require-a-large-enough-output-buffer-to-preve.patch
new file mode 100644
index 0000000..679b1ae
--- /dev/null
+++ b/debian/patches/post-0.8/0074-wmaenc-require-a-large-enough-output-buffer-to-preve.patch
@@ -0,0 +1,37 @@
+From 2e341bc99af72f1ae7c9812985635cbfeeb50269 Mon Sep 17 00:00:00 2001
+From: Justin Ruggles <justin.ruggles at gmail.com>
+Date: Fri, 2 Mar 2012 16:33:33 -0500
+Subject: [PATCH 74/80] wmaenc: require a large enough output buffer to
+ prevent overwrites
+
+The maximum theoretical frame size is around 17000 bytes. Although in
+practice it will generally be much smaller, we require a larger buffer
+just to be safe.
+
+CC: libav-stable at libav.org
+(cherry picked from commit dfc4fdedf8cfc56a505579b1f2c1c5efbce4b97e)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/wmaenc.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/wmaenc.c b/libavcodec/wmaenc.c
+index c762a72..a9053bb 100644
+--- a/libavcodec/wmaenc.c
++++ b/libavcodec/wmaenc.c
+@@ -355,6 +355,11 @@ static int encode_superframe(AVCodecContext *avctx,
+ }
+ }
+
++ if (buf_size < 2 * MAX_CODED_SUPERFRAME_SIZE) {
++ av_log(avctx, AV_LOG_ERROR, "output buffer size is too small\n");
++ return AVERROR(EINVAL);
++ }
++
+ #if 1
+ total_gain= 128;
+ for(i=64; i; i>>=1){
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0075-wmaenc-limit-block_align-to-MAX_CODED_SUPERFRAME_SIZ.patch b/debian/patches/post-0.8/0075-wmaenc-limit-block_align-to-MAX_CODED_SUPERFRAME_SIZ.patch
new file mode 100644
index 0000000..98c0091
--- /dev/null
+++ b/debian/patches/post-0.8/0075-wmaenc-limit-block_align-to-MAX_CODED_SUPERFRAME_SIZ.patch
@@ -0,0 +1,41 @@
+From 073891e8758d5b4ed9034b340fa24c687792e8f6 Mon Sep 17 00:00:00 2001
+From: Justin Ruggles <justin.ruggles at gmail.com>
+Date: Fri, 2 Mar 2012 16:10:00 -0500
+Subject: [PATCH 75/80] wmaenc: limit block_align to MAX_CODED_SUPERFRAME_SIZE
+
+This is near the theoretical limit for wma frame size and is the most that
+our decoder can handle. Allowing higher bit rates will just end up padding
+each frame with empty bytes.
+
+Fixes invalid writes for avconv when using very high bit rates.
+
+CC:libav-stable at libav.org
+(cherry picked from commit c2b8dea1828f35c808adcf12615893d5c740bc0a)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/wmaenc.c | 8 ++++++--
+ 1 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/wmaenc.c b/libavcodec/wmaenc.c
+index a9053bb..bc17f5b 100644
+--- a/libavcodec/wmaenc.c
++++ b/libavcodec/wmaenc.c
+@@ -71,8 +71,12 @@ static int encode_init(AVCodecContext * avctx){
+ for(i = 0; i < s->nb_block_sizes; i++)
+ ff_mdct_init(&s->mdct_ctx[i], s->frame_len_bits - i + 1, 0, 1.0);
+
+- avctx->block_align=
+- s->block_align= avctx->bit_rate*(int64_t)s->frame_len / (avctx->sample_rate*8);
++ s->block_align = avctx->bit_rate * (int64_t)s->frame_len /
++ (avctx->sample_rate * 8);
++ s->block_align = FFMIN(s->block_align, MAX_CODED_SUPERFRAME_SIZE);
++ avctx->block_align = s->block_align;
++ avctx->bit_rate = avctx->block_align * 8LL * avctx->sample_rate /
++ s->frame_len;
+ //av_log(NULL, AV_LOG_ERROR, "%d %d %d %d\n", s->block_align, avctx->bit_rate, s->frame_len, avctx->sample_rate);
+ avctx->frame_size= s->frame_len;
+
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0076-wmaenc-limit-allowed-sample-rate-to-48kHz.patch b/debian/patches/post-0.8/0076-wmaenc-limit-allowed-sample-rate-to-48kHz.patch
new file mode 100644
index 0000000..6e612d6
--- /dev/null
+++ b/debian/patches/post-0.8/0076-wmaenc-limit-allowed-sample-rate-to-48kHz.patch
@@ -0,0 +1,38 @@
+From 6a073aa7a734d4fbad77071e9f8ee0fe75a17fae Mon Sep 17 00:00:00 2001
+From: Justin Ruggles <justin.ruggles at gmail.com>
+Date: Fri, 2 Mar 2012 16:27:57 -0500
+Subject: [PATCH 76/80] wmaenc: limit allowed sample rate to 48kHz
+
+ff_wma_init() allows up to 50kHz, but this generates an exponent band
+size table that requires 65 bands. The code assumes 25 bands in many
+places, and using sample rates higher than 48kHz will lead to buffer
+overwrites.
+
+CC:libav-stable at libav.org
+(cherry picked from commit 1ec075cfecac01f9a289965db06f76365b0b1737)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/wmaenc.c | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/wmaenc.c b/libavcodec/wmaenc.c
+index bc17f5b..5135b98 100644
+--- a/libavcodec/wmaenc.c
++++ b/libavcodec/wmaenc.c
+@@ -39,6 +39,12 @@ static int encode_init(AVCodecContext * avctx){
+ return AVERROR(EINVAL);
+ }
+
++ if (avctx->sample_rate > 48000) {
++ av_log(avctx, AV_LOG_ERROR, "sample rate is too high: %d > 48kHz",
++ avctx->sample_rate);
++ return AVERROR(EINVAL);
++ }
++
+ if(avctx->bit_rate < 24*1000) {
+ av_log(avctx, AV_LOG_ERROR, "bitrate too low: got %i, need 24000 or higher\n",
+ avctx->bit_rate);
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0077-wmaenc-fix-m-s-stereo-encoding-for-the-first-frame.patch b/debian/patches/post-0.8/0077-wmaenc-fix-m-s-stereo-encoding-for-the-first-frame.patch
new file mode 100644
index 0000000..eb3a6bd
--- /dev/null
+++ b/debian/patches/post-0.8/0077-wmaenc-fix-m-s-stereo-encoding-for-the-first-frame.patch
@@ -0,0 +1,68 @@
+From 1128b10247739900174991b4e013429a1b8ceaa4 Mon Sep 17 00:00:00 2001
+From: Justin Ruggles <justin.ruggles at gmail.com>
+Date: Fri, 2 Mar 2012 17:11:25 -0500
+Subject: [PATCH 77/80] wmaenc: fix m/s stereo encoding for the first frame
+
+We need to set ms_stereo in encode_init() in order to avoid incorrectly
+encoding the first frame as non-m/s while flagging it as m/s. Fixes an
+uncomfortable pop in the left channel at the start of playback.
+
+CC:libav-stable at libav.org
+(cherry picked from commit 51ddf35c9017018e58c15275ff5b129647a0c94d)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/wmaenc.c | 4 +++-
+ tests/ref/acodec/wmav1 | 6 +++---
+ tests/ref/acodec/wmav2 | 6 +++---
+ 3 files changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/libavcodec/wmaenc.c b/libavcodec/wmaenc.c
+index 5135b98..df59cab 100644
+--- a/libavcodec/wmaenc.c
++++ b/libavcodec/wmaenc.c
+@@ -70,6 +70,8 @@ static int encode_init(AVCodecContext * avctx){
+ s->use_exp_vlc = flags2 & 0x0001;
+ s->use_bit_reservoir = flags2 & 0x0002;
+ s->use_variable_block_len = flags2 & 0x0004;
++ if (avctx->channels == 2)
++ s->ms_stereo = 1;
+
+ ff_wma_init(avctx, flags2);
+
+@@ -191,7 +193,7 @@ static int encode_block(WMACodecContext *s, float (*src_coefs)[BLOCK_MAX_SIZE],
+ }
+
+ if (s->nb_channels == 2) {
+- put_bits(&s->pb, 1, s->ms_stereo= 1);
++ put_bits(&s->pb, 1, !!s->ms_stereo);
+ }
+
+ for(ch = 0; ch < s->nb_channels; ch++) {
+diff --git a/tests/ref/acodec/wmav1 b/tests/ref/acodec/wmav1
+index 916e4a8..117aa12 100644
+--- a/tests/ref/acodec/wmav1
++++ b/tests/ref/acodec/wmav1
+@@ -1,4 +1,4 @@
+-26a7f6b0f0b7181df8df3fa589f6bf81 *./tests/data/acodec/wmav1.asf
++0260385b8a54df11ad349f9ba8240fd8 *./tests/data/acodec/wmav1.asf
+ 106004 ./tests/data/acodec/wmav1.asf
+-stddev:12245.52 PSNR: 14.57 MAXDIFF:65521 bytes: 1064960/ 1058400
+-stddev: 2095.89 PSNR: 29.90 MAXDIFF:27658 bytes: 1056768/ 1058400
++stddev:12241.90 PSNR: 14.57 MAXDIFF:65521 bytes: 1064960/ 1058400
++stddev: 2074.79 PSNR: 29.99 MAXDIFF:27658 bytes: 1056768/ 1058400
+diff --git a/tests/ref/acodec/wmav2 b/tests/ref/acodec/wmav2
+index 622b6fc..43b19b7 100644
+--- a/tests/ref/acodec/wmav2
++++ b/tests/ref/acodec/wmav2
+@@ -1,4 +1,4 @@
+-7c6c0cb692af01b312ae345723674b5f *./tests/data/acodec/wmav2.asf
++bdb4c312fb109f990be83a70f8ec9bdc *./tests/data/acodec/wmav2.asf
+ 106044 ./tests/data/acodec/wmav2.asf
+-stddev:12249.93 PSNR: 14.57 MAXDIFF:65521 bytes: 1064960/ 1058400
+-stddev: 2089.21 PSNR: 29.93 MAXDIFF:27650 bytes: 1056768/ 1058400
++stddev:12246.35 PSNR: 14.57 MAXDIFF:65521 bytes: 1064960/ 1058400
++stddev: 2068.08 PSNR: 30.02 MAXDIFF:27650 bytes: 1056768/ 1058400
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0078-h264-prevent-overreads-in-intra-PCM-decoding.patch b/debian/patches/post-0.8/0078-h264-prevent-overreads-in-intra-PCM-decoding.patch
new file mode 100644
index 0000000..52f1009
--- /dev/null
+++ b/debian/patches/post-0.8/0078-h264-prevent-overreads-in-intra-PCM-decoding.patch
@@ -0,0 +1,30 @@
+From cd17195d1c0e0f7385946506a5ad2510cf44471b Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Tue, 28 Feb 2012 18:48:27 -0800
+Subject: [PATCH 78/80] h264: prevent overreads in intra PCM decoding.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit d1604b3de96575195b219028e2c4f08b2259aa7d)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/h264_cabac.c | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/h264_cabac.c b/libavcodec/h264_cabac.c
+index 75fb02c..2ee4bc0 100644
+--- a/libavcodec/h264_cabac.c
++++ b/libavcodec/h264_cabac.c
+@@ -1996,6 +1996,8 @@ decode_intra_mb:
+ }
+
+ // The pixels are stored in the same order as levels in h->mb array.
++ if ((int) (h->cabac.bytestream_end - ptr) < mb_size)
++ return -1;
+ memcpy(h->mb, ptr, mb_size); ptr+=mb_size;
+
+ ff_init_cabac_decoder(&h->cabac, ptr, h->cabac.bytestream_end - ptr);
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0079-amrnbdec-check-frame-size-before-decoding.patch b/debian/patches/post-0.8/0079-amrnbdec-check-frame-size-before-decoding.patch
new file mode 100644
index 0000000..bf2bc87
--- /dev/null
+++ b/debian/patches/post-0.8/0079-amrnbdec-check-frame-size-before-decoding.patch
@@ -0,0 +1,44 @@
+From 11f3173e1bae135eb18a10b0060a5dd4b9fdcc74 Mon Sep 17 00:00:00 2001
+From: Vitor Sessak <vitor1001 at gmail.com>
+Date: Wed, 29 Feb 2012 22:09:10 +0100
+Subject: [PATCH 79/80] amrnbdec: check frame size before decoding.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+Signed-off-by: Ronald S. Bultje <rsbultje at gmail.com>
+(cherry picked from commit 882abda5a26ffb8e3d1c5852dfa7cdad0a291d2d)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/amrnbdec.c | 8 ++++++++
+ 1 files changed, 8 insertions(+), 0 deletions(-)
+
+diff --git a/libavcodec/amrnbdec.c b/libavcodec/amrnbdec.c
+index fff0e72..a7d0b4e 100644
+--- a/libavcodec/amrnbdec.c
++++ b/libavcodec/amrnbdec.c
+@@ -200,6 +200,10 @@ static enum Mode unpack_bitstream(AMRContext *p, const uint8_t *buf,
+ p->bad_frame_indicator = !get_bits1(&gb); // quality bit
+ skip_bits(&gb, 2); // two padding bits
+
++ if (mode >= N_MODES || buf_size < frame_sizes_nb[mode] + 1) {
++ return NO_DATA;
++ }
++
+ if (mode < MODE_DTX)
+ ff_amr_bit_reorder((uint16_t *) &p->frame, sizeof(AMRNBFrame), buf + 1,
+ amr_unpacking_bitmaps_per_mode[mode]);
+@@ -947,6 +951,10 @@ static int amrnb_decode_frame(AVCodecContext *avctx, void *data,
+ buf_out = (float *)p->avframe.data[0];
+
+ p->cur_frame_mode = unpack_bitstream(p, buf, buf_size);
++ if (p->cur_frame_mode == NO_DATA) {
++ av_log(avctx, AV_LOG_ERROR, "Corrupt bitstream\n");
++ return AVERROR_INVALIDDATA;
++ }
+ if (p->cur_frame_mode == MODE_DTX) {
+ av_log_missing_feature(avctx, "dtx mode", 1);
+ return -1;
+--
+1.7.5.4
+
diff --git a/debian/patches/post-0.8/0080-cscd-use-negative-error-values-to-indicate-decode_in.patch b/debian/patches/post-0.8/0080-cscd-use-negative-error-values-to-indicate-decode_in.patch
new file mode 100644
index 0000000..24d6840
--- /dev/null
+++ b/debian/patches/post-0.8/0080-cscd-use-negative-error-values-to-indicate-decode_in.patch
@@ -0,0 +1,40 @@
+From b5331b979bfb31ec1715618b2712429764b6a9b5 Mon Sep 17 00:00:00 2001
+From: "Ronald S. Bultje" <rsbultje at gmail.com>
+Date: Wed, 29 Feb 2012 13:55:09 -0800
+Subject: [PATCH 80/80] cscd: use negative error values to indicate
+ decode_init() failures.
+
+Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
+CC: libav-stable at libav.org
+(cherry picked from commit 8a9faf33f2b4f40afbc3393b2be49867cea0c92d)
+
+Signed-off-by: Reinhard Tartler <siretart at tauware.de>
+---
+ libavcodec/cscd.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libavcodec/cscd.c b/libavcodec/cscd.c
+index 00921bc..1edab91 100644
+--- a/libavcodec/cscd.c
++++ b/libavcodec/cscd.c
+@@ -228,7 +228,7 @@ static av_cold int decode_init(AVCodecContext *avctx) {
+ av_log(avctx, AV_LOG_ERROR,
+ "CamStudio codec error: invalid depth %i bpp\n",
+ avctx->bits_per_coded_sample);
+- return 1;
++ return AVERROR_INVALIDDATA;
+ }
+ c->bpp = avctx->bits_per_coded_sample;
+ c->pic.data[0] = NULL;
+@@ -241,7 +241,7 @@ static av_cold int decode_init(AVCodecContext *avctx) {
+ c->decomp_buf = av_malloc(c->decomp_size + AV_LZO_OUTPUT_PADDING);
+ if (!c->decomp_buf) {
+ av_log(avctx, AV_LOG_ERROR, "Can't allocate decompression buffer.\n");
+- return 1;
++ return AVERROR(ENOMEM);
+ }
+ return 0;
+ }
+--
+1.7.5.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 8e1e269..a87cc6a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,84 @@
01-Tweak-doxygen-config.patch
03-disable-configuration-warnings.patch
+
+# post-0.8 patches
+post-0.8/0001-lavc-add-avcodec_is_open.patch
+post-0.8/0002-lavc-make-avcodec_close-work-properly-on-unopened-co.patch
+post-0.8/0003-lavc-set-AVCodecContext.codec-in-avcodec_get_context.patch
+post-0.8/0004-qdm2-Check-data-block-size-for-bytes-to-bits-overflo.patch
+post-0.8/0005-libavcodec-Don-t-crash-in-avcodec_encode_audio-if-ti.patch
+post-0.8/0006-swscale-fix-V-plane-memory-location-in-bilinear-unsc.patch
+post-0.8/0007-h264-disallow-constrained-intra-prediction-modes-for.patch
+post-0.8/0008-ws_snd1-Fix-wrong-samples-count-and-crash.patch
+post-0.8/0009-atrac3-Fix-crash-in-tonal-component-decoding.patch
+post-0.8/0010-shorten-Use-separate-pointers-for-the-allocated-memo.patch
+post-0.8/0011-golomb-avoid-infinite-loop-on-all-zero-input-or-end-.patch
+post-0.8/0012-get_bits-add-HAVE_BITS_REMAINING-macro.patch
+post-0.8/0013-golomb-use-HAVE_BITS_REMAINING-macro-to-prevent-infl.patch
+post-0.8/0014-flac-fix-infinite-loops-on-all-zero-input-or-end-of-.patch
+post-0.8/0015-rv20-prevent-calling-ff_h263_decode_mba-with-unset-h.patch
+post-0.8/0016-wma-Clip-WMA1-and-WMA2-frame-length-to-11-bits.patch
+post-0.8/0017-aac-fix-infinite-loop-on-end-of-frame-with-sequence-.patch
+post-0.8/0018-matroskadec-Pad-AAC-extradata.patch
+post-0.8/0019-matroska-don-t-overwrite-string-values-until-read-al.patch
+post-0.8/0020-lavf-prevent-infinite-loops-while-flushing-in-avform.patch
+post-0.8/0021-smacker-Sanity-check-huffman-tables-found-in-the-hea.patch
+post-0.8/0022-vc1-prevent-null-pointer-dereference-on-broken-files.patch
+post-0.8/0023-tta-error-out-if-samplerate-is-zero.patch
+post-0.8/0024-swscale-enforce-a-minimum-filtersize.patch
+post-0.8/0025-swscale-fix-overflows-in-filterPos-calculation-for-l.patch
+post-0.8/0026-swscale-take-first-lastline-over-underflows-into-acc.patch
+post-0.8/0027-vc1-prevent-using-last_frame-as-a-reference-for-I-P-.patch
+post-0.8/0028-cook-prevent-div-by-zero-if-channels-is-zero.patch
+post-0.8/0029-als-prevent-infinite-loop-in-zero_remaining.patch
+post-0.8/0030-huffyuv-error-out-on-bit-overrun.patch
+post-0.8/0031-mp3on4-require-a-minimum-framesize.patch
+post-0.8/0032-aiff-don-t-skip-block_align-0-check-on-COMM-after-SS.patch
+post-0.8/0033-asf-prevent-packet_size_left-from-going-negative-if-.patch
+post-0.8/0034-mjpegb-don-t-return-0-at-the-end-of-frame-decoding.patch
+post-0.8/0035-wma-don-t-return-0-on-invalid-packets.patch
+post-0.8/0036-vc1parse-call-vc1_init_common.patch
+post-0.8/0037-avplay-fix-threads-option.patch
+post-0.8/0038-rmdec-when-using-INT4-deinterleaving-error-out-if-su.patch
+post-0.8/0039-truemotion2-error-out-if-the-huffman-tree-has-no-nod.patch
+post-0.8/0040-swf-check-return-values-for-av_get-new_packet.patch
+post-0.8/0041-tiff-Prevent-overreads-in-the-type_sizes-array.patch
+post-0.8/0042-mjpeg-abort-decoding-if-packet-is-too-large.patch
+post-0.8/0043-lcl-error-out-if-uncompressed-input-buffer-is-smalle.patch
+post-0.8/0044-kgv1-use-avctx-get-release_buffer.patch
+post-0.8/0045-kgv1-release-reference-picture-on-size-change.patch
+post-0.8/0046-fraps-release-reference-buffer-on-pix_fmt-change.patch
+post-0.8/0047-rm-prevent-infinite-loops-for-index-parsing.patch
+post-0.8/0048-Fix-parser-not-to-clobber-has_b_frames-when-extradat.patch
+post-0.8/0049-vorbis-fix-overflows-in-floor1-vector-and-inverse-db.patch
+post-0.8/0050-Indeo3-fix-crashes-on-corrupt-bitstreams.patch
+post-0.8/0051-oma-don-t-read-beyond-end-of-leaf_table.patch
+post-0.8/0052-mjpegbdec-Fix-overflow-in-SOS.patch
+post-0.8/0053-avutil-make-intfloat-api-public.patch
+post-0.8/0054-lavf-add-functions-for-accessing-the-fourcc-CodecID-.patch
+post-0.8/0055-asf-error-out-on-ridiculously-large-minpktsize-value.patch
+post-0.8/0056-asf-don-t-seek-back-on-EOF.patch
+post-0.8/0057-vp56-error-out-on-invalid-stream-dimensions.patch
+post-0.8/0058-swscale-fix-another-integer-overflow.patch
+post-0.8/0059-qtrle-return-error-on-decode_init-failure.patch
+post-0.8/0060-rpza-error-out-on-buffer-overreads.patch
+post-0.8/0061-vmnc-return-error-on-decode_init-failure.patch
+post-0.8/0062-huffyuv-do-not-abort-on-unknown-pix_fmt-instead-retu.patch
+post-0.8/0063-h264-error-out-on-invalid-bitdepth.patch
+post-0.8/0064-avutil-add-AVERROR_UNKNOWN.patch
+post-0.8/0065-lcl-return-negative-error-codes-on-decode_init-error.patch
+post-0.8/0066-rv10-20-Fix-a-buffer-overread-caused-by-losing-track.patch
+post-0.8/0067-wmadec-Verify-bitstream-size-makes-sense-before-call.patch
+post-0.8/0068-wma-fix-invalid-buffer-size-assumptions-causing-rand.patch
+post-0.8/0069-matroska-check-buffer-size-for-RM-style-byte-reorder.patch
+post-0.8/0070-amrwb-error-out-early-if-mode-is-invalid.patch
+post-0.8/0071-amrwb-remove-duplicate-arguments-from-extrapolate_is.patch
+post-0.8/0072-mpegts-Pad-the-packet-buffer-in-handle_packet.patch
+post-0.8/0073-mpegts-Do-not-call-read_sl_header-when-no-bytes-rema.patch
+post-0.8/0074-wmaenc-require-a-large-enough-output-buffer-to-preve.patch
+post-0.8/0075-wmaenc-limit-block_align-to-MAX_CODED_SUPERFRAME_SIZ.patch
+post-0.8/0076-wmaenc-limit-allowed-sample-rate-to-48kHz.patch
+post-0.8/0077-wmaenc-fix-m-s-stereo-encoding-for-the-first-frame.patch
+post-0.8/0078-h264-prevent-overreads-in-intra-PCM-decoding.patch
+post-0.8/0079-amrnbdec-check-frame-size-before-decoding.patch
+post-0.8/0080-cscd-use-negative-error-values-to-indicate-decode_in.patch
--
Libav/FFmpeg packaging
More information about the pkg-multimedia-commits
mailing list