From 25a80a931a3829f9d730971dbd269aa39cc273f6 Mon Sep 17 00:00:00 2001
From: Luca Barbato <lu_zero@gentoo.org>
Date: Fri, 29 Mar 2013 12:51:51 +0100
Subject: [PATCH 1/3] matroska: pass the lace size to the
 matroska_parse_rm_audio

Each lace must be independent according to the specification.

Fix heap-buffer-overflow in matroska_parse_block for
corrupted real media in mkv files.

Stricter check than fc43c19a567aa945398dccb491d972c11ec2a065

CC: libav-stable@libav.org
---
 libavformat/matroskadec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavformat/matroskadec.c b/libavformat/matroskadec.c
index 67a3308d7d..5279110312 100644
--- a/libavformat/matroskadec.c
+++ b/libavformat/matroskadec.c
@@ -2080,7 +2080,8 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
              st->codec->codec_id == AV_CODEC_ID_ATRAC3) &&
              st->codec->block_align && track->audio.sub_packet_size) {
 
-            res = matroska_parse_rm_audio(matroska, track, st, data, size,
+            res = matroska_parse_rm_audio(matroska, track, st, data,
+                                          lace_size[n],
                                           timecode, duration, pos);
             if (res)
                 goto end;
@@ -2096,7 +2097,6 @@ static int matroska_parse_block(MatroskaDemuxContext *matroska, uint8_t *data,
         if (timecode != AV_NOPTS_VALUE)
             timecode = duration ? timecode + duration : AV_NOPTS_VALUE;
         data += lace_size[n];
-        size -= lace_size[n];
     }
 
 end:

From dfcbe8cbd78bb682f0fdfd4d281ab825ab481caf Mon Sep 17 00:00:00 2001
From: Peter Meerwald <p.meerwald@bct-electronic.com>
Date: Wed, 3 Apr 2013 14:33:58 +0200
Subject: [PATCH 2/3] doc: Fix best_nb_channells typo

Signed-off-by: Peter Meerwald <p.meerwald@bct-electronic.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
---
 libavcodec/api-example.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavcodec/api-example.c b/libavcodec/api-example.c
index 949b3ef3ac..25b7cfe2a6 100644
--- a/libavcodec/api-example.c
+++ b/libavcodec/api-example.c
@@ -82,7 +82,7 @@ static int select_channel_layout(AVCodec *codec)
 {
     const uint64_t *p;
     uint64_t best_ch_layout = 0;
-    int best_nb_channells   = 0;
+    int best_nb_channels   = 0;
 
     if (!codec->channel_layouts)
         return AV_CH_LAYOUT_STEREO;
@@ -91,9 +91,9 @@ static int select_channel_layout(AVCodec *codec)
     while (*p) {
         int nb_channels = av_get_channel_layout_nb_channels(*p);
 
-        if (nb_channels > best_nb_channells) {
+        if (nb_channels > best_nb_channels) {
             best_ch_layout    = *p;
-            best_nb_channells = nb_channels;
+            best_nb_channels = nb_channels;
         }
         p++;
     }

From bcc94328980e6c56546792ab08b0756abdce310b Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Mon, 25 Feb 2013 12:32:49 +0100
Subject: [PATCH 3/3] opt: check the return values of av_get_token for ENOMEM.

---
 libavutil/opt.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/libavutil/opt.c b/libavutil/opt.c
index 2cc6f6ce34..f2b947337e 100644
--- a/libavutil/opt.c
+++ b/libavutil/opt.c
@@ -562,9 +562,16 @@ static int parse_key_value_pair(void *ctx, const char **buf,
     char *val;
     int ret;
 
+    if (!key)
+        return AVERROR(ENOMEM);
+
     if (*key && strspn(*buf, key_val_sep)) {
         (*buf)++;
         val = av_get_token(buf, pairs_sep);
+        if (!val) {
+            av_freep(&key);
+            return AVERROR(ENOMEM);
+        }
     } else {
         av_log(ctx, AV_LOG_ERROR, "Missing key or no key/value separator found after key '%s'\n", key);
         av_free(key);