Description: fix arbitrary code execution via malformed CAVS file
Origin: upstream, http://git.videolan.org/?p=ffmpeg.git;a=commit;h=4a71da0f3ab7f5542decd11c81994f849d5b2c78
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=641478

diff -Nur ffmpeg-0.6/libavcodec/cavsdec.c ffmpeg-0.6.new/libavcodec/cavsdec.c
--- ffmpeg-0.6/libavcodec/cavsdec.c	2010-04-20 10:45:34.000000000 -0400
+++ ffmpeg-0.6.new/libavcodec/cavsdec.c	2011-09-16 09:32:39.406352284 -0400
@@ -130,12 +130,14 @@
                 r++;
             mask = -(level_code & 1);
             level = (level^mask) - mask;
-        } else {
+        } else if (level_code >= 0) {
             level = r->rltab[level_code][0];
             if(!level) //end of block signal
                 break;
             run   = r->rltab[level_code][1];
             r += r->rltab[level_code][2];
+        } else {
+            break;
         }
         level_buf[i] = level;
         run_buf[i] = run;
@@ -189,7 +191,8 @@
 
 static int decode_mb_i(AVSContext *h, int cbp_code) {
     GetBitContext *gb = &h->s.gb;
-    int block, pred_mode_uv;
+    unsigned pred_mode_uv;
+    int block;
     uint8_t top[18];
     uint8_t *left = NULL;
     uint8_t *d;
@@ -445,6 +448,8 @@
     if((show_bits_long(gb,24+align) & 0xFFFFFF) == 0x000001) {
         skip_bits_long(gb,24+align);
         h->stc = get_bits(gb,8);
+        if (h->stc >= h->mb_height)
+            return 0;
         decode_slice_header(h,gb);
         return 1;
     }
@@ -659,7 +664,7 @@
     buf_end = buf + buf_size;
     for(;;) {
         buf_ptr = ff_find_start_code(buf_ptr,buf_end, &stc);
-        if(stc & 0xFFFFFE00)
+        if((stc & 0xFFFFFE00) || buf_ptr == buf_end)
             return FFMAX(0, buf_ptr - buf - s->parse_context.last_index);
         input_size = (buf_end - buf_ptr)*8;
         switch(stc) {