From 42ad4178fd2dfa38a9a713419641c2ff41a85e98 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Mon, 24 Jun 2013 14:23:44 +0200
Subject: [PATCH 1/4] avio: Handle AVERROR_EOF in the same way as the return
 value 0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This makes sure the ffurl_read_complete function actually
returns the number of bytes read, as the documentation of the
function says, even if the underlying protocol uses AVERROR_EOF
instead of 0.

Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit 5d876be87a115b93dd2e644049e3ada2cfb5ccb7)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
---
 libavformat/avio.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavformat/avio.c b/libavformat/avio.c
index ee4dfb6c8c..cfefa60162 100644
--- a/libavformat/avio.c
+++ b/libavformat/avio.c
@@ -328,7 +328,7 @@ static inline int retry_transfer_wrapper(URLContext *h, unsigned char *buf, int
             else
                 usleep(1000);
         } else if (ret < 1)
-            return ret < 0 ? ret : len;
+            return (ret < 0 && ret != AVERROR_EOF) ? ret : len;
         if (ret)
            fast_retries = FFMAX(fast_retries, 2);
         len += ret;

From fe8b5a37d5856769e91c159b83c19578ad316f61 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Mon, 1 Jul 2013 23:38:08 +0200
Subject: [PATCH 2/4] rmdec: Use the AVIOContext given as parameter in
 rm_read_metadata()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This fixes crashes when playing back certain RealRTSP streams.

When invoked from the RTP depacketizer, the full realmedia
demuxer isn't invoked, but only certain functions from it, where
a separate AVIOContext is passed in as parameter (for the buffer
containing the data to parse). The functions called from within
those entry points should only be using that parameter, not
s->pb. In the depacketizer case, s is the RTSP context, where ->pb
is null.

Cc: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit d35b6cd3775456a23b63e73316e244b671caa02f)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
---
 libavformat/rmdec.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/libavformat/rmdec.c b/libavformat/rmdec.c
index 405162e8ca..37e18f02ac 100644
--- a/libavformat/rmdec.c
+++ b/libavformat/rmdec.c
@@ -107,13 +107,13 @@ static int rm_read_extradata(AVIOContext *pb, AVCodecContext *avctx, unsigned si
     return 0;
 }
 
-static void rm_read_metadata(AVFormatContext *s, int wide)
+static void rm_read_metadata(AVFormatContext *s, AVIOContext *pb, int wide)
 {
     char buf[1024];
     int i;
     for (i=0; i<FF_ARRAY_ELEMS(ff_rm_metadata); i++) {
-        int len = wide ? avio_rb16(s->pb) : avio_r8(s->pb);
-        get_strl(s->pb, buf, sizeof(buf), len);
+        int len = wide ? avio_rb16(pb) : avio_r8(pb);
+        get_strl(pb, buf, sizeof(buf), len);
         av_dict_set(&s->metadata, ff_rm_metadata[i], buf, 0);
     }
 }
@@ -143,7 +143,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb,
         int header_size = avio_rb16(pb);
         int64_t startpos = avio_tell(pb);
         avio_skip(pb, 14);
-        rm_read_metadata(s, 0);
+        rm_read_metadata(s, pb, 0);
         if ((startpos + header_size) >= avio_tell(pb) + 2) {
             // fourcc (should always be "lpcJ")
             avio_r8(pb);
@@ -288,7 +288,7 @@ static int rm_read_audio_stream_info(AVFormatContext *s, AVIOContext *pb,
             avio_r8(pb);
             avio_r8(pb);
             avio_r8(pb);
-            rm_read_metadata(s, 0);
+            rm_read_metadata(s, pb, 0);
         }
     }
     return 0;
@@ -474,7 +474,7 @@ static int rm_read_header(AVFormatContext *s, AVFormatParameters *ap)
             flags = avio_rb16(pb); /* flags */
             break;
         case MKTAG('C', 'O', 'N', 'T'):
-            rm_read_metadata(s, 1);
+            rm_read_metadata(s, pb, 1);
             break;
         case MKTAG('M', 'D', 'P', 'R'):
             st = avformat_new_stream(s, NULL);

From c6942a4b037476ca097036e99bb509b5e5d59128 Mon Sep 17 00:00:00 2001
From: Luca Barbato <lu_zero@gentoo.org>
Date: Thu, 27 Jun 2013 03:19:05 +0200
Subject: [PATCH 3/4] vqavideo: check the version

Prevent out of buffer write.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit c4abc9098cacb227dba39bac6aea16b2bceba0d0)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
---
 libavcodec/vqavideo.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/libavcodec/vqavideo.c b/libavcodec/vqavideo.c
index 4826650a6e..110d8b17d5 100644
--- a/libavcodec/vqavideo.c
+++ b/libavcodec/vqavideo.c
@@ -134,6 +134,17 @@ static av_cold int vqa_decode_init(AVCodecContext *avctx)
 
     /* load up the VQA parameters from the header */
     s->vqa_version = s->avctx->extradata[0];
+    switch (s->vqa_version) {
+    case 1:
+    case 2:
+        break;
+    case 3:
+        av_log_missing_feature(avctx, "VQA Version 3", 0);
+        return AVERROR_PATCHWELCOME;
+    default:
+        av_log_missing_feature(avctx, "VQA Version", 1);
+        return AVERROR_PATCHWELCOME;
+    }
     s->width = AV_RL16(&s->avctx->extradata[6]);
     s->height = AV_RL16(&s->avctx->extradata[8]);
     if(av_image_check_size(s->width, s->height, 0, avctx)){

From 26589aa81028f42c763c5581a1486a271799890b Mon Sep 17 00:00:00 2001
From: Luca Barbato <lu_zero@gentoo.org>
Date: Thu, 27 Jun 2013 04:30:20 +0200
Subject: [PATCH 4/4] westwood_vqa: do not free extradata on error in
 read_header

The extradata is already freed by avformat_open_input on
failure.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 76f5dfbfd902178df4a38221a68dc8540189345a)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
---
 libavformat/westwood.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/libavformat/westwood.c b/libavformat/westwood.c
index 82b7e94840..47e835ad10 100644
--- a/libavformat/westwood.c
+++ b/libavformat/westwood.c
@@ -240,7 +240,6 @@ static int wsvqa_read_header(AVFormatContext *s,
     header = (unsigned char *)st->codec->extradata;
     if (avio_read(pb, st->codec->extradata, VQA_HEADER_SIZE) !=
         VQA_HEADER_SIZE) {
-        av_free(st->codec->extradata);
         return AVERROR(EIO);
     }
     st->codec->width = AV_RL16(&header[6]);
@@ -279,7 +278,6 @@ static int wsvqa_read_header(AVFormatContext *s,
      * FINF has been skipped and the file will be ready to be demuxed */
     do {
         if (avio_read(pb, scratch, VQA_PREAMBLE_SIZE) != VQA_PREAMBLE_SIZE) {
-            av_free(st->codec->extradata);
             return AVERROR(EIO);
         }
         chunk_tag = AV_RB32(&scratch[0]);