From 21bcafaafb9d6ff287cccfb000e1e6e2acd52c04 Mon Sep 17 00:00:00 2001
From: Maxime Gervais <gervais.maxime@gmail.com>
Date: Wed, 7 Oct 2020 23:51:00 +0200
Subject: [PATCH 01/10] Fix floating point exception in
 File_La::FileHeader_Parse (SF#1151)

Signed-off-by: Maxime Gervais <gervais.maxime@gmail.com>
---
 Source/MediaInfo/Audio/File_La.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Source/MediaInfo/Audio/File_La.cpp b/Source/MediaInfo/Audio/File_La.cpp
index 843639706..5c6c10197 100644
--- a/Source/MediaInfo/Audio/File_La.cpp
+++ b/Source/MediaInfo/Audio/File_La.cpp
@@ -111,7 +111,7 @@ void File_La::FileHeader_Parse()
     Get_L4 (CRC32,                                              "crc");
 
     FILLING_BEGIN();
-        if (SampleRate==0)
+        if (SampleRate==0 || Channels==0)
             return;
         Duration=((int64u)Samples/Channels)*1000/SampleRate; // Seems that it's samples per channels otherwise Duration is doubled ??!!
         if (Duration==0)

From df7b97d46fa702aa5181f82c94e55a477243c830 Mon Sep 17 00:00:00 2001
From: Maxime Gervais <gervais.maxime@gmail.com>
Date: Thu, 8 Oct 2020 16:19:39 +0200
Subject: [PATCH 02/10] Fix out of bound access in File_Dsf::fmt_ (SF#1152)

Signed-off-by: Maxime Gervais <gervais.maxime@gmail.com>
---
 Source/MediaInfo/Audio/File_Dsf.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Source/MediaInfo/Audio/File_Dsf.cpp b/Source/MediaInfo/Audio/File_Dsf.cpp
index 5df5c02c5..df087e3d3 100644
--- a/Source/MediaInfo/Audio/File_Dsf.cpp
+++ b/Source/MediaInfo/Audio/File_Dsf.cpp
@@ -255,7 +255,7 @@ void File_Dsf::fmt_()
             Fill(Stream_Audio, 0, Audio_Format, DSF_FormatID[FormatID]);
         else
             Fill(Stream_Audio, 0, Audio_Format, FormatID);
-        if (FormatID<DSF_ChannelType_Size)
+        if (ChannelType<DSF_ChannelType_Size)
         {
             Fill(Stream_Audio, 0, Audio_ChannelPositions, DSF_ChannelType[ChannelType]);
             Fill(Stream_Audio, 0, Audio_ChannelLayout, DSF_ChannelType_ChannelLayout[ChannelType]);

From 9146139515e27bf87473d4a2c56fdee4744d042f Mon Sep 17 00:00:00 2001
From: Maxime Gervais <gervais.maxime@gmail.com>
Date: Wed, 7 Oct 2020 23:23:32 +0200
Subject: [PATCH 03/10] Fix floating point exception when parsing mpeg4 files
 (SF#1131)

Signed-off-by: Maxime Gervais <gervais.maxime@gmail.com>
---
 Source/MediaInfo/Multiple/File_Mpeg4_Elements.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Source/MediaInfo/Multiple/File_Mpeg4_Elements.cpp b/Source/MediaInfo/Multiple/File_Mpeg4_Elements.cpp
index 366a1bd50..7a3b1c912 100644
--- a/Source/MediaInfo/Multiple/File_Mpeg4_Elements.cpp
+++ b/Source/MediaInfo/Multiple/File_Mpeg4_Elements.cpp
@@ -1848,7 +1848,7 @@ void File_Mpeg4::mdat_xxxx()
                                 break; //TODO: handle more complex Edit Lists
                     }
 
-                    if (FrameInfo.DTS!=(int64u)-1 && -Delay<(int64s)stts_Offset) //TODO: check potential incoherency between movie timescale and track timescale
+                    if (FrameInfo.DTS!=(int64u)-1 && -Delay<(int64s)stts_Offset && moov_mvhd_TimeScale) //TODO: check potential incoherency between movie timescale and track timescale
                         FrameInfo.DTS+=Delay*1000000000/moov_mvhd_TimeScale;
                     else
                         FrameInfo.DTS=TimeCode_DtsOffset;

From b451751b2a31d7f6457f99abaf3f4e66693ae352 Mon Sep 17 00:00:00 2001
From: Maxime Gervais <gervais.maxime@gmail.com>
Date: Fri, 9 Oct 2020 01:13:22 +0200
Subject: [PATCH 04/10] Fix integer overflow in File_AvsV::user_data_start
 (SF#1155)

Signed-off-by: Maxime Gervais <gervais.maxime@gmail.com>
---
 Source/MediaInfo/Video/File_AvsV.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Source/MediaInfo/Video/File_AvsV.cpp b/Source/MediaInfo/Video/File_AvsV.cpp
index 468f06519..c6bddac18 100644
--- a/Source/MediaInfo/Video/File_AvsV.cpp
+++ b/Source/MediaInfo/Video/File_AvsV.cpp
@@ -543,7 +543,7 @@ void File_AvsV::user_data_start()
 
     //But don't accept non-alpha caracters at the beginning (except for "3ivx")
     if (Library_End_Offset-Library_Start_Offset!=4 || CC4(Buffer+Buffer_Offset+Library_Start_Offset)!=0x33697678) //3ivx
-        while (Library_Start_Offset<Element_Size && Buffer[Buffer_Offset+Library_Start_Offset]<=0x40)
+        while (Library_Start_Offset<Library_End_Offset && Buffer[Buffer_Offset+Library_Start_Offset]<=0x40)
             Library_Start_Offset++;
 
     //Parsing

From 4b2a64ca0a36d683bb5676a8ab7f2c380ab28fb7 Mon Sep 17 00:00:00 2001
From: Maxime Gervais <gervais.maxime@gmail.com>
Date: Mon, 12 Oct 2020 10:15:04 +0200
Subject: [PATCH 05/10] Fix integer overflow in File_Ogg::Data_Parse (SF#1143)

Signed-off-by: Maxime Gervais <gervais.maxime@gmail.com>
---
 Source/MediaInfo/Multiple/File_Ogg.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Source/MediaInfo/Multiple/File_Ogg.cpp b/Source/MediaInfo/Multiple/File_Ogg.cpp
index 642cf0fd5..dd017e2d7 100644
--- a/Source/MediaInfo/Multiple/File_Ogg.cpp
+++ b/Source/MediaInfo/Multiple/File_Ogg.cpp
@@ -347,7 +347,7 @@ void File_Ogg::Data_Parse()
             if (continued || Parser->File_Offset!=Parser->File_Size)
             {
                 int64u Size=Chunk_Sizes[Chunk_Sizes_Pos];
-                if (Element_Offset+Size>Element_Size)
+                if (Size>Element_Size-Element_Offset)
                     Size=Element_Size-Element_Offset; // Shcunk size is bigger than content size, buggy file
                 Open_Buffer_Continue(Parser, Buffer+Buffer_Offset+(size_t)Element_Offset, Size);
             }

From 2fb5e46ef71c4dc7d89aa999dd829cd9c9aa1730 Mon Sep 17 00:00:00 2001
From: Maxime Gervais <gervais.maxime@gmail.com>
Date: Mon, 12 Oct 2020 11:23:27 +0200
Subject: [PATCH 06/10] Fix floating point exception in File_Pcm::Header_Parse
 (SF#1133)

Signed-off-by: Maxime Gervais <gervais.maxime@gmail.com>
---
 Source/MediaInfo/Audio/File_Pcm.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Source/MediaInfo/Audio/File_Pcm.cpp b/Source/MediaInfo/Audio/File_Pcm.cpp
index a1d76cfdc..337c79612 100644
--- a/Source/MediaInfo/Audio/File_Pcm.cpp
+++ b/Source/MediaInfo/Audio/File_Pcm.cpp
@@ -322,7 +322,7 @@ void File_Pcm::Header_Parse()
         }
     #endif //MEDIAINFO_DEMUX
 
-    if (BitDepth && Channels)
+    if (BitDepth*Channels/8)
     {
         int64u Size=(Element_Size/(BitDepth*Channels/8))*(BitDepth*Channels/8); //A complete sample
         if (Element_Size && Size==0)

From 408d30a3ac20c96dea15b3e6beaca0f6d766d315 Mon Sep 17 00:00:00 2001
From: Maxime Gervais <gervais.maxime@gmail.com>
Date: Mon, 12 Oct 2020 11:56:48 +0200
Subject: [PATCH 07/10] Fix null pointer deference in
 File_Mpeg4::meta_iprp_ipco_hvcC (SF#1132)

Signed-off-by: Maxime Gervais <gervais.maxime@gmail.com>
---
 .../Multiple/File_Mpeg4_Elements.cpp          | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/Source/MediaInfo/Multiple/File_Mpeg4_Elements.cpp b/Source/MediaInfo/Multiple/File_Mpeg4_Elements.cpp
index 7a3b1c912..ca77a46c3 100644
--- a/Source/MediaInfo/Multiple/File_Mpeg4_Elements.cpp
+++ b/Source/MediaInfo/Multiple/File_Mpeg4_Elements.cpp
@@ -2297,17 +2297,20 @@ void File_Mpeg4::meta_iprp_ipco()
 #define FILLING_BEGIN_IPCO() \
     { \
         FILLING_BEGIN(); \
-            std::vector<int32u>& Entry=meta_iprp_ipma_Entries[meta_iprp_ipco_Buffer_Size]; \
-            size_t Entry_Size=Entry.size(); \
-            int64u Element_Offset_Save=Element_Offset; \
-            for (size_t i=0; i<Entry_Size; i++) \
+            if (meta_iprp_ipco_Buffer_Size<meta_iprp_ipma_Entries.size()) \
             { \
-                moov_trak_tkhd_TrackID=Entry[i]; \
-                META_CREATESTREAM(); \
-                Element_Offset=Element_Offset_Save; \
+                std::vector<int32u>& Entry=meta_iprp_ipma_Entries[meta_iprp_ipco_Buffer_Size]; \
+                size_t Entry_Size=Entry.size(); \
+                int64u Element_Offset_Save=Element_Offset; \
+                for (size_t i=0; i<Entry_Size; i++) \
+                { \
+                    moov_trak_tkhd_TrackID=Entry[i]; \
+                    META_CREATESTREAM(); \
+                    Element_Offset=Element_Offset_Save; \
 
 #define FILLING_END_IPCO() \
-            } \
+                } \
+            }\
         FILLING_END(); \
         meta_iprp_ipco_Buffer_Size++; \
     } \

From bdee5780e1d4f53e0925d992e61bd7b46bbbd2c7 Mon Sep 17 00:00:00 2001
From: Maxime Gervais <gervais.maxime@gmail.com>
Date: Mon, 12 Oct 2020 14:38:15 +0200
Subject: [PATCH 08/10] Fix uninitialised values used in
 File_Wvpk::Data_Parse_Fill (SF#1141)

Signed-off-by: Maxime Gervais <gervais.maxime@gmail.com>
---
 Source/MediaInfo/Audio/File_Wvpk.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/Source/MediaInfo/Audio/File_Wvpk.cpp b/Source/MediaInfo/Audio/File_Wvpk.cpp
index c9cbaa824..0f4c94272 100644
--- a/Source/MediaInfo/Audio/File_Wvpk.cpp
+++ b/Source/MediaInfo/Audio/File_Wvpk.cpp
@@ -124,6 +124,10 @@ File_Wvpk::File_Wvpk()
     SamplingRate=(int8u)-1;
     num_channels=0;
     channel_mask=0;
+    mono=false;
+    hybrid=false;
+    resolution0=false;
+    resolution1=false;
 }
 
 //***************************************************************************

From 859f778c45b567c0e970234d3fb233d58940c647 Mon Sep 17 00:00:00 2001
From: Maxime Gervais <gervais.maxime@gmail.com>
Date: Tue, 13 Oct 2020 00:07:39 +0200
Subject: [PATCH 09/10] Fix global buffer overflow in
 File_Dpx::GenericSectionHeader_Dpx (SF#1140)

Signed-off-by: Maxime Gervais <gervais.maxime@gmail.com>
---
 Source/MediaInfo/Image/File_Dpx.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Source/MediaInfo/Image/File_Dpx.cpp b/Source/MediaInfo/Image/File_Dpx.cpp
index a63bd4bc1..c82377e78 100644
--- a/Source/MediaInfo/Image/File_Dpx.cpp
+++ b/Source/MediaInfo/Image/File_Dpx.cpp
@@ -697,7 +697,7 @@ void File_Dpx::GenericSectionHeader_Dpx()
     Element_Begin1("Image information");
     int32u Width, Height, PAR_H, PAR_V;
     int16u ImageElements;
-    Info_X2(ImageOrientation,                                   "Image orientation");Param_Info1(DPX_Orientation[ImageOrientation]);
+    Info_X2(ImageOrientation,                                   "Image orientation");Param_Info1(DPX_Orientation[ImageOrientation>8?8:ImageOrientation]);
     Get_X2 (ImageElements,                                      "Number of image elements");
     if (ImageElements>8)
         ImageElements=8;

From 7bab1c3a043784be2c90f2e54a0e5a8d7263eead Mon Sep 17 00:00:00 2001
From: Maxime Gervais <gervais.maxime@gmail.com>
Date: Tue, 13 Oct 2020 21:19:28 +0200
Subject: [PATCH 10/10] Fix heap overflow
 File_Gxf::ChooseParser_ChannelGrouping (SF#1154)

Signed-off-by: Maxime Gervais <gervais.maxime@gmail.com>
---
 Source/MediaInfo/Multiple/File_Gxf.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Source/MediaInfo/Multiple/File_Gxf.cpp b/Source/MediaInfo/Multiple/File_Gxf.cpp
index c917a6348..de2407fa0 100644
--- a/Source/MediaInfo/Multiple/File_Gxf.cpp
+++ b/Source/MediaInfo/Multiple/File_Gxf.cpp
@@ -1577,7 +1577,7 @@ File__Analyze* File_Gxf::ChooseParser_ChannelGrouping(int8u TrackID)
     File_ChannelGrouping* Parser;
     if (Audio_Count%2)
     {
-        if (!Streams[TrackID-1].IsChannelGrouping)
+        if (!TrackID || !Streams[TrackID-1].IsChannelGrouping)
             return NULL; //Not a channel grouping
 
         Parser=new File_ChannelGrouping;