From 63637daa9f702b2b892cc98b071ff54e450b1bb3 Mon Sep 17 00:00:00 2001
From: Gajendra N <gajendra.n@samsung.com>
Date: Tue, 31 Jan 2023 15:37:30 +0530
Subject: [PATCH] [M108 Migration] Migrate AVAS patches

This commit squashes below avas patches and merge to M108.

References:
https://review.tizen.org/gerrit/279548
https://review.tizen.org/gerrit/279561
https://review.tizen.org/gerrit/279586
https://review.tizen.org/gerrit/279595
https://review.tizen.org/gerrit/279918
https://review.tizen.org/gerrit/282003
https://review.tizen.org/gerrit/282095
https://review.tizen.org/gerrit/282431

Change-Id: I800ae039bbbe0340a0f222582bda3fc1b8fd115b
Signed-off-by: Gajendra N <gajendra.n@samsung.com>
---
 .../third_party/glmark2/src/src/libjpeg-turbo/jchuff.c   |  2 +-
 .../angle/third_party/glmark2/src/src/libpng/pngpread.c  | 15 +++++++++++++++
 .../angle/third_party/glmark2/src/src/libpng/pngrutil.c  | 16 ++++++++++++++++
 third_party/ffmpeg/libavcodec/atrac3.c                   |  5 +++++
 third_party/ffmpeg/libavcodec/vorbis.c                   |  2 +-
 third_party/ffmpeg/libavcodec/vp8.c                      |  2 ++
 third_party/ffmpeg/libavcodec/wmalosslessdec.c           | 10 +++++++---
 third_party/ffmpeg/libavformat/rtpdec_asf.c              |  2 +-
 third_party/libevent/evdns.c                             |  2 +-
 third_party/libxml/src/HTMLparser.c                      |  2 +-
 third_party/libxml/src/parser.c                          |  2 +-
 11 files changed, 51 insertions(+), 9 deletions(-)

diff --git a/third_party/angle/third_party/glmark2/src/src/libjpeg-turbo/jchuff.c b/third_party/angle/third_party/glmark2/src/src/libjpeg-turbo/jchuff.c
index 58acd70..18fa923 100644
--- a/third_party/angle/third_party/glmark2/src/src/libjpeg-turbo/jchuff.c
+++ b/third_party/angle/third_party/glmark2/src/src/libjpeg-turbo/jchuff.c
@@ -428,7 +428,7 @@ dump_buffer (working_state *state)
  * scanning order-- 1, 8, 16, etc.), then this will produce an encoded block
  * larger than 200 bytes.
  */
-#define BUFSIZE (DCTSIZE2 * 4)
+#define BUFSIZE (DCTSIZE2 * 8)
 
 #define LOAD_BUFFER() { \
   if (state->free_in_buffer < BUFSIZE) { \
diff --git a/third_party/angle/third_party/glmark2/src/src/libpng/pngpread.c b/third_party/angle/third_party/glmark2/src/src/libpng/pngpread.c
index d066944..666c064 100644
--- a/third_party/angle/third_party/glmark2/src/src/libpng/pngpread.c
+++ b/third_party/angle/third_party/glmark2/src/src/libpng/pngpread.c
@@ -569,6 +569,21 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr)
       png_push_handle_unknown(png_ptr, info_ptr, png_ptr->push_length);
    }
 
+   if (png_memcmp(png_ptr->chunk_name, png_IDAT, 4))
+   {
+      png_alloc_size_t limit = PNG_SIZE_MAX;
+#ifdef PNG_SET_USER_LIMITS_SUPPORTED
+      if (png_ptr->user_chunk_malloc_max > 0 &&
+          png_ptr->user_chunk_malloc_max < limit)
+         limit = png_ptr->user_chunk_malloc_max;
+#elif PNG_USER_CHUNK_MALLOC_MAX > 0
+      if (PNG_USER_CHUNK_MALLOC_MAX < limit)
+         limit = PNG_USER_CHUNK_MALLOC_MAX;
+#endif
+      if (png_ptr->push_length > limit)
+         png_chunk_error(png_ptr, "chunk data is too large");
+   }
+
    png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
 }
 
diff --git a/third_party/angle/third_party/glmark2/src/src/libpng/pngrutil.c b/third_party/angle/third_party/glmark2/src/src/libpng/pngrutil.c
index 45e7ddd..d16e716 100644
--- a/third_party/angle/third_party/glmark2/src/src/libpng/pngrutil.c
+++ b/third_party/angle/third_party/glmark2/src/src/libpng/pngrutil.c
@@ -131,6 +131,22 @@ png_read_chunk_header(png_structp png_ptr)
    /* Check to see if chunk name is valid */
    png_check_chunk_name(png_ptr, png_ptr->chunk_name);
 
+   /* Check for too-large chunk length */
+   if (png_ptr->chunk_name != png_IDAT)
+   {
+      png_alloc_size_t limit = PNG_SIZE_MAX;
+#ifdef PNG_SET_USER_LIMITS_SUPPORTED
+      if (png_ptr->user_chunk_malloc_max > 0 &&
+          png_ptr->user_chunk_malloc_max < limit)
+         limit = png_ptr->user_chunk_malloc_max;
+#elif PNG_USER_CHUNK_MALLOC_MAX > 0
+      if (PNG_USER_CHUNK_MALLOC_MAX < limit)
+         limit = PNG_USER_CHUNK_MALLOC_MAX;
+#endif
+      if (length > limit)
+         png_chunk_error(png_ptr, "chunk data is too large");
+   }
+
    return length;
 }
 
diff --git a/third_party/ffmpeg/libavcodec/atrac3.c b/third_party/ffmpeg/libavcodec/atrac3.c
index 12ba55d..7e89c033 100644
--- a/third_party/ffmpeg/libavcodec/atrac3.c
+++ b/third_party/ffmpeg/libavcodec/atrac3.c
@@ -933,6 +933,11 @@ static av_cold int atrac3_decode_init(AVCodecContext *avctx)
         return AVERROR(EINVAL);
     }
 
+    if (q->coding_mode == JOINT_STEREO && avctx->channels < 2) {
+        av_log(avctx, AV_LOG_ERROR, "Invalid coding mode\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     /* Check the extradata */
 
     if (version != 4) {
diff --git a/third_party/ffmpeg/libavcodec/vorbis.c b/third_party/ffmpeg/libavcodec/vorbis.c
index cca2aa7..d8490d2 100644
--- a/third_party/ffmpeg/libavcodec/vorbis.c
+++ b/third_party/ffmpeg/libavcodec/vorbis.c
@@ -166,7 +166,7 @@ static inline void render_line_unrolled(intptr_t x, int y, int x1,
     }
 }
 
-static void render_line(int x0, int y0, int x1, int y1, float *buf)
+static void render_line(int x0, unsigned char y0, int x1, int y1, float *buf)
 {
     int dy  = y1 - y0;
     int adx = x1 - x0;
diff --git a/third_party/ffmpeg/libavcodec/vp8.c b/third_party/ffmpeg/libavcodec/vp8.c
index 07ea3c6..363f3bd 100644
--- a/third_party/ffmpeg/libavcodec/vp8.c
+++ b/third_party/ffmpeg/libavcodec/vp8.c
@@ -2661,6 +2661,8 @@ int vp78_decode_frame(AVCodecContext *avctx, AVFrame *rframe, int *got_frame,
     enum AVDiscard skip_thresh;
     VP8Frame *av_uninit(curframe), *prev_frame;
 
+    av_assert0(avctx->pix_fmt == AV_PIX_FMT_YUVA420P || avctx->pix_fmt == AV_PIX_FMT_YUV420P);
+
     if (is_vp7)
         ret = vp7_decode_frame_header(s, avpkt->data, avpkt->size);
     else
diff --git a/third_party/ffmpeg/libavcodec/wmalosslessdec.c b/third_party/ffmpeg/libavcodec/wmalosslessdec.c
index 5112b76..97e64a2 100644
--- a/third_party/ffmpeg/libavcodec/wmalosslessdec.c
+++ b/third_party/ffmpeg/libavcodec/wmalosslessdec.c
@@ -183,7 +183,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
     WmallDecodeCtx *s  = avctx->priv_data;
     uint8_t *edata_ptr = avctx->extradata;
     unsigned int channel_mask;
-    int i, log2_max_num_subframes;
+    int i, bits, log2_max_num_subframes;
 
     if (avctx->block_align <= 0 || avctx->block_align > (1<<21)) {
         av_log(avctx, AV_LOG_ERROR, "block_align is not set or invalid\n");
@@ -255,8 +255,12 @@ static av_cold int decode_init(AVCodecContext *avctx)
     s->len_prefix  = s->decode_flags & 0x40;
 
     /* get frame len */
-    s->samples_per_frame = 1 << ff_wma_get_frame_len_bits(avctx->sample_rate,
-                                                          3, s->decode_flags);
+    bits = ff_wma_get_frame_len_bits(avctx->sample_rate, 3, s->decode_flags);
+    if (bits > WMALL_BLOCK_MAX_BITS) {
+        av_log_missing_feature(avctx, "big-bits block sizes", 1);
+        return AVERROR_INVALIDDATA;
+    }
+    s->samples_per_frame = 1 << bits;
     av_assert0(s->samples_per_frame <= WMALL_BLOCK_MAX_SIZE);
 
     /* init previous block len */
diff --git a/third_party/ffmpeg/libavformat/rtpdec_asf.c b/third_party/ffmpeg/libavformat/rtpdec_asf.c
index 72ead69..bd787cf 100644
--- a/third_party/ffmpeg/libavformat/rtpdec_asf.c
+++ b/third_party/ffmpeg/libavformat/rtpdec_asf.c
@@ -259,7 +259,7 @@ static int asfrtp_parse_packet(AVFormatContext *s, PayloadContext *asf,
                 int cur_len = start_off + len_off - off;
                 int prev_len = out_len;
                 out_len += cur_len;
-                if (FFMIN(cur_len, len - off) < 0)
+                if (!asf->buf || FFMIN(cur_len, len - off) < 0)
                     return -1;
                 if ((res = av_reallocp(&asf->buf, out_len)) < 0)
                     return res;
diff --git a/third_party/libevent/evdns.c b/third_party/libevent/evdns.c
index 05fe594..d72fdaa 100644
--- a/third_party/libevent/evdns.c
+++ b/third_party/libevent/evdns.c
@@ -783,7 +783,6 @@ name_parse(u8 *packet, int length, int *idx, char *name_out, int name_out_len) {
 
 	for(;;) {
 		u8 label_len;
-		if (j >= length) return -1;
 		GET8(label_len);
 		if (!label_len) break;
 		if (label_len & 0xc0) {
@@ -804,6 +803,7 @@ name_parse(u8 *packet, int length, int *idx, char *name_out, int name_out_len) {
 			*cp++ = '.';
 		}
 		if (cp + label_len >= end) return -1;
+		if (j + label_len > length) return -1;
 		memcpy(cp, packet + j, label_len);
 		cp += label_len;
 		j += label_len;
diff --git a/third_party/libxml/src/HTMLparser.c b/third_party/libxml/src/HTMLparser.c
index fd71aee..4f6baa0 100644
--- a/third_party/libxml/src/HTMLparser.c
+++ b/third_party/libxml/src/HTMLparser.c
@@ -6294,12 +6294,12 @@ htmlParseChunk(htmlParserCtxtPtr ctxt, const char *chunk, int size,
 		size_t current = ctxt->input->cur - ctxt->input->base;
 
 		nbchars = xmlCharEncInput(in, terminate);
-		xmlBufSetInputBaseCur(in->buffer, ctxt->input, base, current);
 		if (nbchars < 0) {
 		    htmlParseErr(ctxt, XML_ERR_INVALID_ENCODING,
 			         "encoder error\n", NULL, NULL);
 		    return(XML_ERR_INVALID_ENCODING);
 		}
+		xmlBufSetInputBaseCur(in->buffer, ctxt->input, base, current);
 	    }
 	}
     }
diff --git a/third_party/libxml/src/parser.c b/third_party/libxml/src/parser.c
index fa8ff0f..f3d6b3d 100644
--- a/third_party/libxml/src/parser.c
+++ b/third_party/libxml/src/parser.c
@@ -12431,7 +12431,6 @@ xmldecl_done:
 		size_t current = ctxt->input->cur - ctxt->input->base;
 
 		nbchars = xmlCharEncInput(in, terminate);
-		xmlBufSetInputBaseCur(in->buffer, ctxt->input, base, current);
 		if (nbchars < 0) {
 		    /* TODO 2.6.0 */
 		    xmlGenericError(xmlGenericErrorContext,
@@ -12439,6 +12438,7 @@ xmldecl_done:
                     xmlHaltParser(ctxt);
 		    return(XML_ERR_INVALID_ENCODING);
 		}
+		xmlBufSetInputBaseCur(in->buffer, ctxt->input, base, current);
 	    }
 	}
     }
-- 
2.7.4