Merge commit 'f53490cc0c809975f8238d5a9edbd26f83bd2f84'

* commit 'f53490cc0c809975f8238d5a9edbd26f83bd2f84':
  rtpdec/srtp: Handle CSRC fields being present
  rtpdec: Check the return value from av_new_packet
  ac3dec: fix non-optimal dithering of zero bit mantissas

Conflicts:
	libavcodec/ac3dec.c
	libavformat/rtpdec.c

Merged-by: Michael Niedermayer <michaelni@gmx.at>

libavcodec/ac3dec.c

@@ -442,6 +442,7 @@ static void ac3_decode_transform_coeffs_ch(AC3DecodeContext *s, int ch_index, ma
         int mantissa;
         switch (bap) {
         case 0:
+            /* random noise with approximate range of -0.707 to 0.707 */
             if (dither)
                 mantissa = (((av_lfg_get(&s->dith_state)>>8)*181)>>8) - 5931008;
             else

libavformat/rtpdec.c

@@ -575,12 +575,12 @@ static int rtp_parse_packet_internal(RTPDemuxContext *s, AVPacket *pkt,
 {
     unsigned int ssrc;
     int payload_type, seq, flags = 0;
-    int ext;
+    int ext, csrc;
     AVStream *st;
     uint32_t timestamp;
     int rv = 0;
-    int h;
 
+    csrc         = buf[0] & 0x0f;
     ext          = buf[0] & 0x10;
     payload_type = buf[1] & 0x7f;
     if (buf[1] & 0x80)
@@ -610,14 +610,15 @@ static int rtp_parse_packet_internal(RTPDemuxContext *s, AVPacket *pkt,
             len -= padding;
     }
 
-    h = buf[0] & 0x0F;
-    buf += 4*h;
-    len -= 4*h;
-
     s->seq = seq;
     len   -= 12;
     buf   += 12;
 
+    len   -= 4 * csrc;
+    buf   += 4 * csrc;
+    if (len < 0)
+        return AVERROR_INVALIDDATA;
+
     /* RFC 3550 Section 5.3.1 RTP Header Extension handling */
     if (ext) {
         if (len < 4)
@@ -638,10 +639,8 @@ static int rtp_parse_packet_internal(RTPDemuxContext *s, AVPacket *pkt,
                                       s->st, pkt, &timestamp, buf, len, seq,
                                       flags);
     } else if (st) {
-        /* At this point, the RTP header has been stripped;
-         * This is ASSUMING that there is only 1 CSRC, which isn't wise. */
-        if (av_new_packet(pkt, len) < 0)
-            return AVERROR(ENOMEM);
+        if ((rv = av_new_packet(pkt, len)) < 0)
+            return rv;
         memcpy(pkt->data, buf, len);
         pkt->stream_index = st->index;
     } else {

libavformat/srtp.c

@@ -190,16 +190,23 @@ int ff_srtp_decrypt(struct SRTPContext *s, uint8_t *buf, int *lenptr)
         if (!(srtcp_index & 0x80000000))
             return 0;
     } else {
+        int csrc;
         s->seq_initialized = 1;
         s->seq_largest     = seq_largest;
         s->roc             = roc;
 
+        csrc = buf[0] & 0x0f;
         ext  = buf[0] & 0x10;
         ssrc = AV_RB32(buf + 8);
 
         buf += 12;
         len -= 12;
 
+        buf += 4 * csrc;
+        len -= 4 * csrc;
+        if (len < 0)
+            return AVERROR_INVALIDDATA;
+
         if (ext) {
             if (len < 4)
                 return AVERROR_INVALIDDATA;
@@ -244,7 +251,7 @@ int ff_srtp_encrypt(struct SRTPContext *s, const uint8_t *in, int len,
         buf += 8;
         len -= 8;
     } else {
-        int ext;
+        int ext, csrc;
         int seq = AV_RB16(buf + 2);
         ssrc = AV_RB32(buf + 8);
 
@@ -253,11 +260,17 @@ int ff_srtp_encrypt(struct SRTPContext *s, const uint8_t *in, int len,
         s->seq_largest = seq;
         index = seq + (((uint64_t)s->roc) << 16);
 
+        csrc = buf[0] & 0x0f;
         ext = buf[0] & 0x10;
 
         buf += 12;
         len -= 12;
 
+        buf += 4 * csrc;
+        len -= 4 * csrc;
+        if (len < 0)
+            return AVERROR_INVALIDDATA;
+
         if (ext) {
             if (len < 4)
                 return AVERROR_INVALIDDATA;